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Abstract 

We study the dynamic software update problem for programs in¬ 
teracting with an environment that is not necessarily updated. We 
argue that such updates should be backward compatible. We pro¬ 
pose a general definition of backward compatibility and cases of 
backward compatible program update. Based on our detailed study 
of real world program evolution, we propose classes of backward 
compatible update for interactive programs, which are included at 
an average of 32% of all studied program changes. The definitions 
of update classes are parameterized by our novel framework of pro¬ 
gram equivalence, which generalizes existing results on program 
equivalence to non-terminating executions. Our study of backward 
compatible updates is based on a typed extension of W language. 

Categories and Subject Descriptors D.3.1 [Formal Definitions 
and Theory]: Semantics, Syntax; D.2.4 [Software/Program Verifi¬ 
cation]: Correctness Proof, Formal Methods; F.3.2 [Semantics of 
Programming Languages]: Operational Semantics, Program Anal¬ 
ysis; D.3.3 [Language Constructs and Features]: Input/output, 
Procedures, functions, and subroutines 

General Terms Theory 

Keywords dynamic software update, backward compatibility, 
program equivalence, proof rule, operational semantic 
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1. Introduction 

Dynamic software update (DSU) allows programs to be updated in 
the middle of their execution by mapping a state of an old version 
of the program to that of a newer version. The ability to update pro¬ 
grams without having to restart them is useful for high-availability 
applications that cannot afford the downtime incurred by offline up- 
dates DSU has been an active area of researchtsl. fl^ HS . 
with much of the published work emphasizing the update mecha¬ 
nism that implements a state mapping which maps the execution 
state of an old version of the program to that of a new version. 
DSU safety has not yet been successfully studied. Existing stud¬ 
ies on DSU safety are lacking in one way or another: high-level 
studies are concerned with change management for system com¬ 
ponents am and lower-level studies typically require significant 
programmer annotations 01,min or have a restricted class of 
applications to which they apply (e.g., controller systems El])- 

In this paper, we consider the safety of DSU when applied to 
possibly non-terminating programs interacting with an environ¬ 
ment that is not necessarily updated. For such updates, the new 
version of the program must be able to interact with the old envi¬ 
ronment, which means that it should be, in some sense, backward 
compatible with the old version. A strict definition of backward 
compatibility would require the new version to exhibit the same I/O 
behavior as the old version; in other words the two programs are ob- 
servationally equivalent. It should be immediately clear that a more 
nuanced definition is needed because observational-equivalence 
does not allow changes which one would want to allow as back¬ 
ward compatible such as bug fixes, new functionalities, or usabil¬ 
ity improvement (e.g., improved user messages). Allowing for such 
differences would be needed in any practical definition of backward 
compatibility. One contribution of this work is a general definition 
of backward compatibility, a classification of common backward 
compatible program behavior changes, as well as classes of pro¬ 
gram change from real world program evolution. 

Determining backward compatibility, which allows for differ¬ 
ences between two program versions, is requiring one to solve the 
semantic equivalence problem which has been extensively stud¬ 
ied 10,OH,USES,EEm,El]- Unfortunately, existing results 
turned out to be lacking in one or more aspects which rules out 
retrofitting them for our setting. In fact, existing work on program 
equivalence typically guarantees equivalence at the end of an exe¬ 
cution. Such equivalence is not adequate for our purposes because 
it does not allow us to express that a point in the middle of a loop 
execution of one program corresponds (in a well defined sense) to 
a point in the middle of a loop execution of another program. The 
ability to express such correspondences is desirable for dynamic 
software update. Besides, existing formulations of the program 
equivalence problem either do not use formal semantics lA llTlIlSn . 
only apply to terminatin g progr ams II Ei, severely restrict the 
programming model omi, Bill , or rely on some form of model 
checking I2U [231 (which is not appropriate for non-terminating 
programs with infinite states). Our goal for program equivalence 
is to establish compile-time conditions ensuring that two programs 
have the same I/O behavior in all executions. In particular, if one 
program enters an infinite loop and does not produce a certain out¬ 
put, the other program should not produce that output either. This is 
different from much of the literature on program equivalence which 
only guarantees same behavior in terminating executions. 

The closest work that aims to establish program equivalence for 
nonterminating programs is that of Godlin and Strichman Cl who 
give sufficient conditions for semantic equivalence for a language 
that includes recursive functions, but does not allow loops (loops 
are extracted as recursive functions). That and the fact that equiv¬ 


alence is enforced on corresponding functions severely limits the 
applicability of the work to general transformations affecting loops 
such as loop-invariant code motion, loop fission/fusion. So, as a 
major component of our formal treatment of backward compati¬ 
ble updates, we set out to develop sufficient conditions for seman¬ 
tic equivalence for programs in a typed extension of the W lan¬ 
guages d with small-step operational semantics. The syntax of 
language is extended with arrays and enumeration types and the 
semantics take into consideration the execution environment to al¬ 
low various classes of updates. 

In summary, the paper makes the following contributions: 

1. We formally define backward compatibility and identify cases 
of backward compatible program behavior for typical program 
update motivation. 

2. We identify and formally define classes of program changes 
that result in backward compatible program update based on 
empirical study of real world program evolution. 

3. We give a formal treatment of the semantic equivalence for 
nonterminating imperative programs. 

The rest of the paper is organized as follows. Sectionj^proposes 
the general backward compatibility and cases of backward com¬ 
patible new program behavior. Then we describe real world update 
classes that result in backward compatible update in Section]^ Sec¬ 
tion |4] formally defines our extension of the W language to study 
backward compatible updates. Section 143] shows terms, notations 
and definitions (e.g., execution) heavily used in the technical re¬ 
sult. The technical results on semantic equivalence are presented in 
Section [5] We propose our formal treatment of real world update 
classes in Section]^ A more detailed comparison to related work is 
given in Section[7]. Section[8]concludes the paper. 

2. Backward compatibility 

2.1 Programs and Specifications 

Programs are designed to satisfy specifications. Specification can 
be explicitly provided or implicitly defined by the behavior of a 
program. Programs interact with their environment by receiving 
inputs and producing outputs. In this section we introduce enough 
of a computing model to describe the input/output behavior of 
programs; In the next section we introduce a specific programming 
language to reason about specific software updates. 

An execution of a program consists of a sequence of steps from 
a finite set of steps, S = Sin U Sintemai U Sout U {halt}. A step 
of a program can either be an input step in which input is received, 
an internal step in which the state of the program is modified, an 
output step in which output is produced, or a halt. 

We make a distinction between internal state of a program and 
external state (e.g., application settings) of the local environment 
in which the program executes. Such external state can include the 
state of a file system that program can access; we include both as 
part of the program state. The state of a program is an element of a 
set Mxl, where the set M = Mint xMext, Mint = Vk 

is a cartesian product of runt sets of values, one for each internal 
memory location, and Mext = Vk is a cartesian product of 

next sets of values, one for each external location. The input value 
last received is an element of the set T of input values. 

A program executes in an execution environment. An execution 
environment (MextQ,!) specifies an initial value for the external 
program state M^xto and a possibly infinite sequence of input 
values I. The input sequence is assumed to be produced by users 
that we do not model explicitly. 

A step of a program P is a mapping that specifies the next 
program state and the next step to execute. For an internal step 

^internal ^ Sinternals the mapping is Sinternal M xl 
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<S X X {_L}, which specifies the next step and how the state 
is modified. The internal steps clear input in the state if any. For an 
output step Sout £ Sont, the mapping Sout '■ M S x O which 
specifies the next step to execute and the output value produced. O 
is the set of output values produced by the program. An input step 
Sin & Sin is simply an element of <S x I and specifies the next step 
to execute and the input obtained from the environment. (We simply 
write Sin{) to denote the next step and the input received.) Because 
the input value is received by the program, we do not restrict the 
next step to execute. We allow the input value to be ignored by the 
program by two consecutive input steps. When the step is halt, 
there is no further action as if halt were mapped to itself. 

Definition 1. (Program) A program P is a tuple {S,M, Mintg , so, 
T, O), where S is the set of steps as defined above, M is the set of 
program states, Mintg w the initial internal state, so is the initial 
step, and X and O are disjoint sets of input and output values. 

We do not include the initial external state Mf,xto in the program 
definition; we include it in the execution environment of P. 

Definition 2. (Execution) An execution of a program P = 
{S,M.,Minto,so,X,0) in execution environment {Mexto,I), 
where I is a possibly infinite sequence of input values from X, is a 
sequence of configurations C from the infinite set {(M, s, i, P, lO)}. 
A configuration c has the form c = (M, s, i, P, lO), where M is 
a state, s is a step, i is the last input received, P is a sequence of 
remaining input values and lO is the input/output sequence pro¬ 
duced so far. The kth configuration Ck in an execution is obtained 
from the {k — l)th configuration Ck-i = (M, s,i, P, lO) where 
s f halt in one of the following cases: 

1. The first configuration cn is of the form (Mq, sn, P, 1,0), 

where Mo = M,xto); 

2. s G Sinternai ■ Ck = (M', s' , _L, P, lO), where (s', M' , _L) = 
s(M, i),- 

3. s € Sin and the remaining inputs Ir is not empty: Ck = 
{M, s', head{P),tail{P), 10-head{P)) where (s', head{P)) 
= s{P): 

4. s € Sin and the remaining inputs Ir is empty: Ck = Ck-i; 

5. s € Sout : Ck = (M, s', i, P,IO ■ o'), where (s', o') = s{M); 

In the definition, head{l) denotes the head (leftmost) element 
in the sequence I and tail{l) denotes the remaining sequence 
without the head. The input value in i is either consumed by the 
next internal step or updated by another input from the next input 
step. Execution is stuck if an input step is attempted in state in 
which there are no remaining inputs. In what follows, we include 
the execution environment in the execution and we abuse notation 
to say {Moxto, P C) is an execution of a program P. 

Specifications We consider specifications that define the in¬ 
put/output behavior of programs. Specifications are not concerned 
with how fast an output is produced or about the internal state of 
the program. 

Definition 3. (Specification) Given a set Mext of external states, 
a set seqiX) of input sequences, and a set seq{X U O) of I/O 
sequences, specification S is a predicate: Mext x seqiX) x seqiXVJ 
Cl)x 1 -^ {true, false}. 

We define the I/O sequence of a sequence of configurations C 
to be a sequence IO{C) of values immXVJO such that every finite 
prefix of lOiC) is the 10 sequence of some configuration c £ C 
and every I/O sequence of a configuration c G O is a finite prefix 
of 70(0). 

An execution {Moxig, I,C) of program P satisfies a specifi¬ 
cation S if 'S{MextQ, I, IO{C)) = true. A specification distin¬ 


guishes executions into those that satisfy the specification and those 
that do not. 

A specification defines the external behavior of a program that 
is observed by a user. The input sequence and I/O sequence are 
obviously part of external behavior. We also include Mext in 
specification domain because a user can have information about the 
external state. For example, a user who has data stored in the file 
system considers the program’s refusal to access the stored data a 
violation of the service specification; this is not the case if the user 
has no stored data. 

2.2 Hybrid executions and state mapping 

DSU is a process of updating software while it is running. This 
results in a hybrid execution in which part of the execution is that 
of the old program and part of the execution is for the new program. 

State mapping is a function 5 mapping an internal state and a 
non-halt step of one program P to an internal state and a step of 
another program P', 6 : Mfnt x \ {halt}) i—>■ Mfjit x . 
The external state is not mapped because the environment is not 
necessarily updated. In addition, we cannot change input and output 
that already occurred and that I/O must be part of the hybrid 
execution. 

Definition 4. (Hybrid execution) A hybrid execution {Mexto , I, 
Cp;Cpi), produced by DSU using state mapping S from pro¬ 
gram P to program P', is an execution {Mexto, I, Cp) of P 
concatenated with an execution {M'e^t, I'r,Cpi) of P' where the 
first configuration Cp/ = {{M'j^„^,M'ext),s',i' ,I'r,IO') inCp/ is 
obtained by applying the state mapping to the last configuration 
Cp = {{Mi„t,Mext), s{f halt), i, P, lO) in Cp as follows: 

• {Ml„t,s') =5{Miut,s); 

• ((' =i)A {I'r = Ir) A (70' = 70) A {Mext C M^t). 

2.3 Backward compatibility 

In this paper, we consider updates in which the environment is not 
necessarily updated. It follows that in order for the hybrid execution 
to be meaningful, the new program should provide functionality 
expected by both old and new users of the system. 

In practice, specifications are not explicitly available. Instead, 
the program is its own specification. This means that the specifica¬ 
tion that the program satisfies can only be inferred by the external 
behavior of the program. Bug fixes create a dilemma for dynamic 
software updates. When a program has a hug, its external behav¬ 
ior does not captures its implicit specification and the update will 
change the behavior of the program. In what follows, we first dis¬ 
cuss what flexibility we can be afforded for a backward compatible 
update and then we give formal definitions of backward compati¬ 
bility and state our assumptions for allowing bug fixes. 

We consider a hybrid execution starting from a program P = 
{S, Mint X Mext, Minto ,so,X, O) and being updated to a pro¬ 
gram P' = {S',M'i„t X M'exu s'q,X',0'). We examine 

how the two programs should be related for a meaningful hybrid 
execution. 

1. (Inputs) Input set X' of P' should be a superset of that X of P 
to allow for old users to interact with P' after the update. It is 
possible to allow for new input values in X' to accommodate 
new functionality under the assumption that old users do not 
generate new input values. Such new input values should be 
expected to produce erroneous output by old users as they are 
not part of P’s specification. 

2. (Outputs) Output produced by P' should be identical to output 
produced by P if all the input in an execution comes from 
the input set of P. This is needed to ensure that interactions 
between old users and the program P' can make sense from the 
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perspective of old users. This is true in the case that the update 
does not involve a bug fix, but what should be done if the update 
indeed involves a bug fix and the output produced by the old 
program was not correct to start with? As far as syntax, a bug fix 
should not introduce new output values. As far as semantics, we 
should allow the bug fix to change what output is produced for 
a given input. We discuss this further under the bug fix heading. 
In summary, if we ignore bug fixes, the new program should 
behave as the old program when provided with input meant for 
the old program. 

3. (Bugfix) Handling bug fixes is problematic. If the produced out¬ 
put already violates the fix, then there is no way for the hybrid 
execution to satisfy the implicit semantics of the program or the 
semantics of the new program. Some bug fixes can be handled. 
For example, a bug that causes a program to crash for some 
input can be fixed to allow the program to continue executing. 
Applying the fix to a program that has not encountered the bug 
should not be problematic. Another case is when the program 
should terminate for some input sequence, but the old program 
does not terminate. A bug fix that allows the program to termi¬ 
nate should not present a semantic difficulty for old users. 

In general, we assume that there are valid executions and in¬ 
valid executions of the old program. I/O sequences produced in 
invalid executions are not in specification of the program. We 
assume that an invalid execution will lead to an error configu¬ 
ration not explicitly handled by the program developers. We do 
not expect the state mapping to change an error configuration 
into an non-error configuration just as static updating does not 
fix occurred errors. Besides, we do not attempt to determine if a 
particular configuration is an error configuration. Such determi¬ 
nation is not possible in general and very hard in practice. We 
simply assume that the configuration at the time of the update 
is not an error configuration, (which is equivalent to assuming 
the existence of an oracle jTp to determine if a particular con¬ 
figuration is erroneous, Jp{Cp) = true if the configuration Cp 
is not erroneous). 

4. (New functionality) New functionality is usually accompanied 
by new inputs/outputs and the expansion of external state. We 
assume that new functionality is independent of existing func¬ 
tionality in the sense that programs P and P' produce the same 
I/O sequence when receiving inputs in T only. We therefore as¬ 
sume all new inputs T' \ T are introduced by new functionality. 

Every external state of P is part of some external state of pro¬ 
gram P' because of the definition of the specification of P. We 
only consider expansion of the external state of P for new func¬ 
tionalities in P' where the expansion of external state is inde¬ 
pendent of values in existing external state. One of the moti¬ 
vating examples is to add application settings for new program 
feature. 

In light of the discussion above we give the following definition 
of backward compatibility in the absence of bug fixes. 

Definition 5. (Backward compatibie hybrid executions) Let 

P = (5, Mint X Mext, Minto ,so,T, O) be a program satisfying 
a specification E. Wfe say that a hybrid execution {M^xt , Cp ; Cp ) 
from P to a program P' = {S', Mint X M'^xt, s'q,!',0') 

is backward compatible with implicit specification of P if all of the 
following hold: 

• The last configuration in Cp is not an error configuration, 
Cp = ‘'C'-,{M,s',i,Ir,IOT ■■ Jp{Cp)=true. 

• The hybrid execution satisfies the specification E of P, 

T,{M,xt, I, IO{Cp-, Cp)) = true; 


• Inputs/outputs/external states of P are a subset of those of 

P' :T <LX' ,0 O' and M ext c M'.xti 

If there is bug fix between programs P' and P, we need to adapt 
Definitionl^to allow for some executions on input sequences from 
I to violate the specification of P. Above we identified two cases in 
which bug fixes are safe (replacing a response with no response or 
replacing a no response with a correct response without introducing 
new output values). We omit the definition. 

We have the backward compatible updates by extending the 
definition of a backward compatible hybrid execution to all possible 
hybrid executions. 

Definition 6. (Backward compatibie updates) We say an updated 
program P' is backward compatible with a program P in configu¬ 
ration C if there is hybrid execution, from configuration C of P to 
P' that is backward compatible with specification of P. 

2.4 Backward compatible program behavior changes 

With the formal definition of backward compatibility, it is desir¬ 
able to check what behavior changes of an updated program help 
ensure a safe update. Backward compatibility is essentially a rela¬ 
tion between I/O sequences produced by an old program and those 
produced by an updated program. We summarized typical possibil¬ 
ities of the relation into six cases in Figure [T]by considering conse¬ 
quence of major update motivation (i.e., new functionality, bug fix 
and program perfective/preventive needs H). According to David 
Parnas 12^ . a program is updated to adapt to changing needs. In 
other words, program changes are to produce more or less or dif¬ 
ferent output according to changing needs. These changes are cap¬ 
tured by case 2, 3, 4, 5 and 6 in Figure [T] We also capture output¬ 
preserving changes which are most likely motivated by the pro¬ 
gram developer’s own needs (e.g., software maintainability), which 
is case 1 in Figure [T] 

Furthermore, we find that an update is backward compatible 
if in every execution the new program behavior is one of the six 
cases in Figure[T] Cases 1 and 2 are obviously backward compatible 
because an old client is guaranteed to get old responses. Cases 3, 
4, 5, and 6 are not obviously backward compatible. Unlike case 
1 and 2, case 3, 4 and 5 are backward compatible under specific 
assumptions on program semantics while case 6 is different. Case 
3 is backward compatible because we assume the change is either 
adding new functionality, or fixing a bug in which the old program 
hanged or crashed. Similarly, case 4 is backward compatible. Case 
5 is backward compatible because different I/O interaction could 
express the same application semantics. For example, a greeting 
message could be changed from “hi” to “hello”. Case 6 is backward 
compatible in that the new program makes implicit specification of 
the program explicit by enforcing restrictions on program state and 
therefore eliminating undesired I/O sequence. 

The six cases in Fig.[T]have covered the changes of output, in¬ 
cluding more or less or different output. There exists more specific 
cases of backward compatible program behavior changes under 
various specific assumptions. However, these more specific cases 
could be attributed to one of the six cases as far as the changes of 
output are concerned. In conclusion, it is not possible to go much 
beyond the six cases of backward compatibility in Fig.[T] 

3. Real world backward compatible update 
classes: brief description 

We have studied evolution of three real world programs (i.e., vs- 
ftpd, sshd and icecast) to identify real world changes that are back¬ 
ward compatible. We chose these three programs because the pro¬ 
grams are widely used in practice dll and are widely studied in 
the DSU community 1 ^12^ . We have studied several years of re- 
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Case 

Formal new program behavior 

Software version 

Update date 

Total 

Class 

1 

the old behavior including external state extension: 

vsftpd 1 . 1 . 0 - 1 . 1.1 

2002-10-07 

16 

8 


Ep C Sp/, or Sp/ = , oneseq (D, oneseq (T U O)) — >■ val 

vsftpd 1 . 1.1 - 1 . 1.2 

2002-10-16 

8 

1 


|3(Mea;t, oneseq(T), oneseq(I U O)) —^ val in Sp 

vsftpd 1.1.2-1.1.3 

2002-11-09 

8 

4 


and Mext C M^xt' } where T = T' ,0 = O' and M^xt ^ Mext' 

vsftpd 1.1.3 -1.2.0 

2003-05-29 

61 

9 

2 

the old behavior for old input and consuming inputs 

vsftpd 1 . 2.0 - 1 . 2.1 

2003-11-13 

33 

11 


that are only from new clients: 

vsftpd 1 . 2.1 - 1 . 2.2 

2004-04-26 

10 

6 


Sp C Sp/A 

vsftpd 1 . 2.2 - 2 . 0.0 

2004-07-01 

52 

13 


Sp/ \ Ep = {(Mext,oneseq(I'),oneseq(I' U O')) —/ true 

vsftpd 2 . 0.0 - 2 . 0.1 

2004-07-02 

7 

4 


1 oneseq(T' U O') includes at least one input in {X' \ I)} 7 ^ 0 

vsftpd 2 . 0.1 - 2 . 0.2 

2005-03-03 

23 

4 


where! C O C O' and M^xt = Mext' 

vsftpd 2.0.2 -2.0.3 

2005-03-19 

18 

8 

3 

producing more output while the old program terminates: 

vsftpd 2.0.3 -2.0.4 

2006-01-09 

14 

9 


Ep/ \ Ep = {(Mext, oneseq(!), oneseq(! U O)) 1 —>■ false 

vsftpd 2.0.4 -2.0.5 

2006-07-03 

21 

15 


1 (Mext, oneseq(!), oneseq(! U 0 )) G A/ / 0} 

vsftpd 2.0.5 -2.0.6 

2008-02-13 

20 

9 


U {(Mext, oneseq(!), oneseq(! U O) . oneseq’ (! U O)) 1 —> true 

vsftpd 2.0.6 -2.0.7 

2008-07-30 

16 

8 


|(Mext, oneseq(!), oneseq(! U O) . oneseq’(! U O)) € At 7 ^ 0} 

vsftpd 2.0.7 -2.1.0 

2009-02-19 

53 

11 


Ep \ Sp/ = {(Mext, oneseq(!), oneseq(! U O)) 1 —false 

vsftpd 2 . 1.0 - 2 . 1.2 

2009-05-29 

21 

9 


|(Mext, oneseq(!), oneseq(! U O)) € At 7 ^ 0} 

vsftpd 2 . 1.2 - 2 . 2.0 

2009-08-13 

34 

14 


U {(Mext, oneseq(!), oneseq(! U O) . oneseq’ (! U O)) 1 —^ true 

Software version 

Update date 

Total 

Class 


|(Mext, oneseq(!), oneseq(! U O) . oneseq’(! U O)) € A/ 7 ^ 0} 

vsftpd 2 . 2.0 - 2 . 2.2 

2009-10-19 

21 

5 


where! = !', 0 = 0' and Adext = Mext' 

vsftpd 2.2.2 -2.3.0 

2010-08-06 

13 

3 

4 

termination while the old program produces erroneous output: 

vsftpd 2.3.0 -2.3.2 

2010-08-19 

5 

0 


Ep/ \ Ep = {(Mext, oneseq(!), oneseq(! U O)) true 

vsftpd 2.3.2 -2.3.4 

2011-03-12 

7 

0 


(Mext,oneseq(!),oneseq(! U O)) € At 7 ^ 0} 

vsftpd 2.3.4 -2.3.5 

2011-12-19 

14 

6 


U {(Mext, oneseq(!), oneseq(! U O) . oneseq’ (! U O)) 1 —>■ false 

vsftpd 2.3.5 -3.0.0 

2012-04-10 

23 

4 


1 (Mext, oneseq(!), oneseq(! U O) . oneseq’(! U O)) G Ay 7 ^ 0} 

vsftpd 3.0.0 -3.0.2 

2012-09-19 

40 

2 


Ep \ Sp/ = {(Mext, oneseq(!), oneseq(! U O)) i-)- true 

sshd 3.5pl -3.6pl 

2003-03-31 

95 

34 


|(Mext, oneseq(!), oneseq(! U O)) G Ay 7 ^ 0} 

sshd 3.6pl -3.6.Ipl 

2003-04-01 

13 

12 


U {(Mext, oneseq(!), oneseq(! U O) . oneseq’ (! U O)) 1 — > false 

sshd3.6.1pl -3.6.1p2 

2003-04-29 

16 

12 


1 (Mext, oneseq (!), oneseq (! U O) . oneseq’ (! U O)) G At 7 ^ 0} 

sshd 4.5pl ^. 6 pl 

2007-03-07 

48 

13 


where! = X',0 = O' and Mext = Mext' 

sshd 6 . 6 pl -6.7pl 

2014-10-06 

283 

51 

5 

different output that is functionally equivalent to old output: 

icecast 0 . 8.0 - 0 . 8.1 

2004-08-04 

4 

3 


(Ep 7 ^ Ep/) A (Ep = Ep/) 

icecast 0 . 8.1 - 0 . 8.2 

2004-08-04 

2 

0 


where! = !', {O 7 ^ O') A {O = O') and Mext = Mext' 

icecast 2.3.0 -2.3.1 

2005-11-30 

47 

10 

6 

enforcing restrictions on program state: 

icecast 2.3.1 -2.3.2 

2008-06-02 

250 

28 


Ep/ \ Ep = {(Mext, oneseq(!), oneseq(! U O)) 1 —false 

icecast 2.4.0 -2.4.1 

2014-11-19 

178 

154 


(Mext, oneseq(!), oneseq(! U O)) G Aarbi / 0} 






Ep \ Ep/ = {(Mext, oneseq(!), oneseq(! U £2)) true ^ 

eure 2: Statistics of classified real world software undate 


(Mext,oneseq(!),oneseq(! U O)) G Aarbi / 0} 






where! = X',0 = O' and Mext = Mext' 






Figure 1; Six cases of formalized general new program behavior 


leases of vsftpd and consecutive updates of sshd and icecast. This is 
because vsftpd is more widely studied by the DSU community (H- 

Ea. 

Our study of real world program evolution is carried out as fol¬ 
lows. We examined every changed function manually to classify 
updates. For every individual change, we first identified the moti¬ 
vation of the change, then the assumptions under which the change 
could be considered backward compatible. If the assumption under 
which the change is considered backward compatible is reasonable, 
we recorded the change into one particular update class. Finally we 
summarized common update classes observed in the evolution of 
studied programs. 

Fig. 13 shows the statistics from our study of real world pro¬ 
gram evolution where “total” refers to the number of all updated 
functions, “class” refers to the number of updated functions with 
at least one classified update pattern. In summary, 32% of all up¬ 
dated functions include at least one classified program update; the 
unclassified updates are mostly bug fix that are related to specific 
program logic. We summarized seven most common real world up¬ 
date classes from all the studied updates in Fig. [3 and we believe 


that these update classes are also widespread in other program evo¬ 
lution. Each of the six real world update classes falls in one of the 
five cases of backward compatibility in Fig. [T] We present infor¬ 
mal descriptions of all update classes including required assump¬ 
tions for the two programs to produce same or equivalent output 
sequence which guarantees backward compatible DSU. 

3.1 Observational equivalence: the old behavior 

In case I in Fig.[T] two programs are backward compatible because 
the new program keeps all old behaviors (“observational equiva¬ 
lence”). In our study, we differentiate two types of “observational 
equivalence” based on if assumptions are required. 

Program equivalence We consider several types of program 
changes that are allowed by “observational equivalence” without 
user assumptions. These changes include: loop fission or fusion, 
statement reordering or duplication, and extra statements unre¬ 
lated to output(e.g., logging related changes). We incorporate these 
changes in our framework of program equivalence which ensures 
two programs produce the same output regardless of whether the 
programs terminate or not. The details of the formal treatment is in 
Section[5] 

Specializing new configuration variables Another update class 
of “observational equivalence” is “specializing new configuration 
variables”, which is backward compatible under user assumptions. 
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Update class (Case) 

Required assumptions for backward 
compatible update 

program equivalence (1) 

none 

new config. variables (1) 

no redefinitions of new config 
variables after initialization 

enum type extension (2) 

no inputs from old clients match 
the extended enum labels 

var. type weakening (3) 

no intentional use of value type 
mismatch and array out of bound 

exit on error (4) 

correct error check before exit 

improved prompt msgs (5) 

changing prompt messages for 
more effective communication 

missing var. init. (6) 

no intentional use of undefined 
variables 


Figure 3: Required assumptions for real world backward compati¬ 
ble update classes 


1 : 


1 ’: 

If (6) then 

2 : 


2 ’: 

output 0*2 

3: 


3’: 

else 

4: 

output a -F 2 

old 

4’: 

output o -F 2 

new 


1 : 


V: 

If (1/(0 

2 : 


2’: 

skip 

3: 

output a 

3’: 

output a 


old 


new 


Figure 6: Exit-on-error 


3.3 Variable type weakening: more output when the old 
program terminates 

In program updates, variable types are changed either to allow for 
larger ranges (weakening) or smaller ranges to save space (strength¬ 
ening). For example, an integer variable might be changed to be¬ 
come a long variable to avoid integer overflow or a long variable 
might be changed to an integer variable because the larger range 
of long is not needed. Type weakening also includes adding a new 
enumeration value and increasing array size. The kinds of strength¬ 
ening or weakening that should be allowed are application depen¬ 
dent and would need to be defined by the user in general. The type 
weakening considered is either changes from type int to long or 
increase of array size. These updates fix integer overflow or array 
index out of bound respectively, the case 3 of backward compatibil¬ 
ity. Implicitly, we assume that there is no intentional use of integer 
overflow and array out of bound as program semantics. 


Figure 4: Specializing new configuration variables 


1: enumidjoi} 

2 : a : enum id 
3: If (a == oi) then 
4: output 2 -F c 

5: 

6 : 

old 


1’: enum id {oi, 02 } 
2 ’: a : enum id 
3’: If (a == 01 ) then 
4’: output 2 + c 

5’: If (a == 02 ) then 
6 ’: output 3 -F c 

new 


Figure 5: Enumeration type extension 


In this update class, new configuration variables are introduced to 
generalize functionality. For example, in Fig. [15] a new configura¬ 
tion variable b is used to introduce new code. The two statement 
sequences in Fig.[T3are equivalent when the new variable b is spe¬ 
cialized to 0. In general, if all new code is introduced in a way 
that is similar to that in Fig. [15] where there is a valuation of new 
configuration variables under which new code is not executed, and 
new configuration variables are not redefined after initialization, 
then the new program and the old program produce the same out¬ 
put sequence. The point is that new functionality is not introduced 
abruptly in interaction with an old client. Instead new functional¬ 
ity could be enabled for a new client when old clients are not a 
concern. 

3.2 Enum. type extension: old behavior for old inpnt and 
allowing new input 

Enumeration types allow developers to list similar items. New code 
is usually accompanied with the introduction of new enumeration 
labels. Eig.llbishows an example of the update. The new enum la¬ 
bel 02 gives a new option for matching the value of the variable 
a, which introduces the new code “output 3 -F c”. To show enu¬ 
meration type extensions to be backward compatible, we assume 
that values of enum variables, used in the If-predicate introducing 
the new code, are only from inputs that cannot be translated to new 
enum labels. This is case 2 of the backward compatibility. 


3.4 Exit on errors: stopping execution while the old program 
produces more output 

One kind of bug fix, which we call exit on error, causes a program 
to exit in observation of errors that depend on application semantic. 
Eig.llTlshows an example of exit-on-error update. In the example, 
the fixed bugs refer to the program semantic error that a = 5. In¬ 
stead of using an “exit” statement, we rely on the crash from ex¬ 
pression evaluations to model the “exit”. When errors do not occur, 
the two programs in Fig. [TT] produce the same output sequence. 
This is case 4 of backward compatibility. Naturally, we assume that 
all error checks are correct. 

3.5 Improved prompt messages: functionally equivalent 
ontputs 

In practice, outputs could be classified into prompt outputs and 
actual outputs. Prompt outputs are those asking clients for inputs, 
which are constants hardcoded in output statements. Actual outputs 
are dynamic messages produced by evaluation of non-constant 
expressions in execution. If the differences between two programs 
are only the prompt messages that a client receives, we consider 
that the two programs are equivalent. The prompt messages are 
the replaceable part of program semantics. We observe cases of 
improving prompt messages in program evolution for effective 
communication. The changes of prompt outputs do not matter only 
for human clients. This is case 5 of backward compatibility. 

3.6 Missing variable initialization: enforcing restrictions on 
program states 

Another kind of bug fix, which we call missing variable initial¬ 
ization, includes initializations for variables whose arbitrary initial 
values can affect the output sequence in the old program. Fig. [T^ 
shows an example of missing variable initialization. The initializa¬ 
tion b := 2 ensures the value used in “output b -F c” not to be un¬ 
defined. Despite of initialization statements, the two programs are 
same. In general, initializations of variables only affect rare buggy 
executions of the old program, where undefined variables affect the 
output sequence. This update class is case 6 of backward compat¬ 
ibility and we assume that there is no intentional use of undefined 
variable in the program. When there are no uses of variables with 
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1 : 


1 ’: 

b-=2 

2 : 

If (a > 0) then 

2 ’: 

If (a > 0) then 

3: 

h ~ c+l 

3’: 

b ■.= c+l 

4: 

output b + c 

4’: 

output b + c 


old 


new 


Eigure 7: Missing initialization 


Identifier id 

Constant 


n Label 1 

Enum Items 

el 

:= 

1 1 ell, el^ 

Enumeration 

EN 

:= 

0 1 enumzc? {el} \ ENi, EN 2 

Prompt Msg 

msg 

:= 

1 : n \ msg^ , msg^ 

Prompts 

Pmpt 

:= 

0 1 {msg} 

Base type 

T 

:= 

Int 1 Long 1 pmpt | enum id 

Variables 

V 

:= 

0 \ t id\T id[n] | Vi, V 2 

Left value 

Ival 

:= 

id 1 idi [id2] \ id[n] 

Expression 

e 

:= 

id ■=— 1 1 Ival 1 other 

Statement 

s 

:= 

Ival e 1 input id \ output e | skip 

1 while (e) {5} 

Stmt Seq. 

s 

:= 

s 1 ; Sk for A; > 1 

Program 

P 

== 

Pmpt] EN] V ; Sentry 


Figure 8 

Abstract syntax 


undefined variables in executions of the old program, the two pro¬ 
grams produce the same output sequence. 

4. Formal programming language 

We present the formal programming language based on which 
we prove our semantic equivalence results and describe categories 
of backward compatible changes. We first explain the language 
syntax, then the language semantics. 

4.1 Syntax of the formal language 

The language syntax is in Figure. We use id to range over the 
set of identifiers, n to range over integers, I to range over labels. 
We assume unique identifiers across all syntactic categories, unique 
labels across all enumeration types and the prompt type. We have 
base type Int and Long for integer values. The integers defined in 
type Int are also defined in type Long. Every label defined in the 
prompt type is related with an integer constant as the actual value 
used in output statement. We differentiate type Long and Int to 
define the bug fix of type relaxation from Int to Long to prevent 
overflow in calculation (e.g., a -l- b can cause an error with Int but 
not with Long). The type Int is necessary reflecting the concern of 
space and time efficiency in practical computation. We also have 
user-defined enumeration type, prompt type and array type. 

We explicitly have “id == 1” and Ival as expressions for con¬ 
venience of the definition of specific updates. To make our pro¬ 
gramming language general and to separate the concern of expres¬ 
sion evaluation, we parameterize the language by “other” expres¬ 
sions which are unspecified. 

We have explicit input and output statement because we model 
the program behavior as the I/O sequence which is the observa¬ 
tional behavior of a program. The I/O statement makes it conve¬ 
nient for the argument of program behavior correspondence. In this 
paper, every I/O value is an integer value which is a common I/O 
representation in. A Statement sequence is defined as si;...; Sk 
where fc > 0 for the convenience of syntax-direct definition from 
both ends of the sequence. 

A program is composed of a possibly empty prompt type Pmpt, 
a possibly empty sequence of enumeration types EN, a possibly 
empty sequence of global variables V and a sequence of entry 


Values 

V 

€ 

Zi U L 

integer values in type long and 
enum/prompt labels 

I/O values 

Vio 

G 

Zi 


Inputs 

Vi 

::= 

'^io 

tagged input values 

Eval. values 

Vcn 

::= 

V 1 error 

values and the runtime error 

Param. types 

Tt 

-= 

r 1 array(r, n) 


Loop Labels 

loopii,, 

G 

N 




Figure 9: Values, types and domains 

Crash flag 

f ::= 0|1 


Overflow flag 

of ::= 0 | 1 


Type Env. 

r ::= 0 \id : ry | id : {/i, . 

...ife}|ri,r2 

Loop counter 

loope..= (loopi^i yt {n \ _L)) 


Value store 

(7 ::= id {v \ _L) 

values of scalar variables 


1 id {n {v\ _L)) 

1 idj 1 —>• v*^ 

1 idio {vi 1 Vo)* 

values of array elements 
input sequence 

I/O sequence 

State 

m ::= (f, of, F, Zoop^,, cr) 



Figure 10: Elements of an execution state 


statements Sentry Finally, we have a standard type system based 
on our syntax. 

4.2 Small-step operational semantics of the formal langnage 

Figure 1^ shows semantic categories of our language. We consider 
values to be either labels L or integer numbers Zz, defined in type 
Long. The integer numbers defined Z/ of type Int are a proper 
subset of those in type Long, Z/ C Zi,. We use the notation 'Zl+ 
for the positive integers defined in type Long. We use the notation 
udf[[r] for an undefined value of type r. Unlike the “undef’ in 
Clight d, we need to parameterize the undefined value with a 
type r because we do not have an underlining memory model that 
can interpret any block content according to a type. An individual 
value in I/O sequence is an integer number with tag differentiating 
inputs and outputs, our tags for inputs and outputs are standard 
notations in. The value from expression evaluation is a pair. One 
of the pair is either a value v or “error” for runtime errors(e.g., 
division by zero); the other is the overflow flag (i.e., 0 for no 
overflow). 

We use notation tt for all types that are defined in syntax, 
including array types. 

Every loop statement in a program is with a unique label /oopjj,; 
of a natural number in order to differentiate their executions. 

The composition of an execution state is in Eigureflol 

1. The crash flag f is initially zero and is set to one whenever an 
exception occurs. Once the crash flag is set, it is not cleared. We 
only consider unrecoverable crashes. The crash flag is used to 
make sure that updates do not occur in error states. 

2. The overflow flag of is initially zero and is set to one whenever 
an integer overflow in expression evaluation occurs. Overflow 
flag is sticky in the sense that once it is set, the flag is not 
cleared. According to ca, integer overflows are common in 
mature programs. 

3. r is the type environment mapping enumeration type identifers 
and variable identifiers to their types. Type environment is nec¬ 
essary for checking array index out of bound or checking value 
mismatch in execution of input/assignment statement. 

4. Loop counters loop^ are to record the number of iterations for 
one instance of a loop statement. The loop counters loop^ is 
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(r, m) ir' ,m') 
(E[r],m) —>■ {E[r'],m') 
Eval. Context E ::= _ | id[E] | E == I 
\id := E I i(i[E] := e | id[v] ;= E | output E 
I while (E){5} I If (E) then {St} else jS/j | E; S 


(S, m) —t (S', m') 


Figure 11: Contextual semantic rule 


(r, m) —(r'j m') 


£ : other —t tr —t (var X {0, 1}) 
En' : other —t {id} (unspecified) 


Var- 


Ait-1- 

Ait-2- 

Eq-T- 

Eq-F- 


f — 0 (T{id) — V 
(id, m(f, (t)) —t (v, m) 

f — 0 (T(id, ui) — V2 


(id[vi],m(f,a)) —t (v 2 ,m) 

f — 0 (T id : array(r, n)) A —>(1 < r?i < n) 
(t(i[tti], m(f, r)) -> (id[vi],m(l/f)) 

f=0 


(I =— I, m(f)) —t (1, m) 

f = 0 It # I 2 
(it == h,m(f)) -t (0, m) 


(r, 




As-Scl 


As-Arr 


f = 0 <T(id) 7 ^ _L 

(id V, m(f, cr)) —>■ (skip, m{(7[v/id])) 
f — 0 cr(zd, Di) _L 

(id[i;i] V 2 , rn{^, cr)) —)• (skip, m{(7[v2/{id, i^i)])) 


As-Erri 


f = 0 (r h id : array(r, n)) A -<(1 < < n) 

(id[t;i] iJ2,m(f,r)) -)■ (id[t;i] V2,m{l/f)) 


As-Eit2- 


As-Err3- 


If-T- 


f = 0 cr(id) 7^ _L 

(r h id : Int) A (-u G \ ^/)) 

(id 'U,m(f,r,t7)) —(id v, m(l/f)) 

f — 0 cr(id, i?i) ^ _L 

(r h id : array(Int, n)) A (v 2 £ C^l \ 

(id[i;i] 112, ’^(f, r, O')) —>■ (id[i;i] V2,m{l/f)) 

f ^ 0 (u G Zl) a (v ^ 0) 


If-F- 


Wh-T 


(If (ti) then {St} else {S/}, rn(f)) (St, rn) 

_L^o_ 

(If (0) then {5t} else {5/}, m(f)) (Sf, m) 

f — 0 (v ^ Zl) a (v ^ 0) loop^(n) — k 
(while(„) (tj) {5}, m(f,/oop^)) —>■ 

(5; while^^) (e) {S}, m(loop^[(k + l)/n]) 


Wh-F- 


f = 0 loop^(n) ^ L 


(while^„^ (0) {S},m(f,loop^)) (skip, m(Zoop^[0/n])) 


EEval - 


1 = 0 e — other 


ECrash 


(e, m(f, cr)) ^ (S[e]CT, m) 
f = 0 


EOflow-I 


EOflow-2. 


((error, -t (0,m(l/f)) 

f = 0 of = 0 


((u, u„,), m(f, of)) ^ (v, m(v„f/af)) 

f-0 °f=l 

((v, «„,), m(f, of)) ^ (v, m) 


Figure 12: SOS rules for expressions 


not necessary for program executions but are needed for our 
reasoning of the execution of loops. When a counter entry for 
loop label n is not defined in loop counters loop^, we write 
loop^(n) = _L. Otherwise, we write loop^{n) 7 ^ _L. 

5. The value store a is a valuation for scalar variables, array 
elements, the input sequence variable, and the I/O sequence 
variable. 

Execution state m is a composition of elements discussed 
above. In our SOS rules, we only show components of a state 
m when necessary (e.g., ?n(r, a)). 

Figure [TT] shows typical contextual rule and Figure [T 2 I II3land 
[Tdlshow all SOS rules. 

Figure [12] shows rules for expression evaluation. We use the 
expression meaning function S : other —>■ cr —>■ (Perr x {0,1}) 
to evaluate “other” expressions. In evaluation of expression “other” 
against a value store cr, the expression meaning function S returns a 
pair (Perr, of) where the value Ven is either a value v or an “error”, of 
is a flag indicating if there is integer overflow in the evaluation (e.g., 
1 if there is overflow). The meaning function £ interprets “other” 
expressions deterministically. In addition, there is a function Use : 


Seq- 


f = 0 


(skip; S, rn(f)) — r (S, m) 


Crash- 


f = 1 


(s.m(f)) -> (s,m) 


Figure 13: SOS rules for Assignment, If, and While statements 


other —^ {id} maps an “other” expression to a set of variables 
used in the expression; there is a function Err : other —>■ {id} 
maps an expression to a set of variables whose values decide if the 
evaluation of expression leads to crash. We assume function Use 
and Err available. The value returned by the expression meaning 
function only depends on the values of variables in the use set of the 
expression and the error evaluation only depends on the variables 
in the error set. 

As to integer overflow, there are two ways of handling over¬ 
flow in practice one is to wrap around overflow using twos- 
complement representation (e.g., the gcc option -fwrapv); the other 
is to generates traps for overflow (e.g., the gcc option -ftrapv). We 
adopt a combination of the two handling of overflow: the mean¬ 
ing function £ wraps the overflow in some representation (e.g., 
two-complement) and notifies the overflow in return value. Rule 
EOflow-1 and EOflow-2 update the sticky overflow flag. The eval¬ 
uation of Ival or id == I is shown by respective rules in EigurefT^ 

Figure[T^shows SOS rules for assignment. If, while statements, 
statement sequence, and crash, which are almost standard. There 
are four particular crash in execution of assignment statements. 
One is array out of bound for array access for l-value (e.g., rule 
As-Errl); the second is assigning a value defined in type Long but 
not type Int to an Int-typed variable (e.g., rule As-Err2); the third is 
value mismatch in input statement; the last is expression evaluation 
exception. As to loop statement, if the predicate expression evalu¬ 
ates to a nonzero integer, corresponding loop counter value incre¬ 
ments by one; otherwise, the loop counter value is reset to zero. We 
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{r, 




In-1- 


In-2- 


f = 0 a{id) 7 ^ _L hd((T( 2 (i 7 )) = vio T \- id : Long 
(input id, m(f, F, cr)) 

(skip, m{<T[vio/id] [l{{a'{idi))/idi][^'<7{idjo ) ' 

f — 0 a{id) 7^ ± 

hd((T('i(i/)) — Vio (r h id : Int) A (vio G 
(input id, m(f, F, cr)) —¥ (skip, 

m{(7[violid][i\{G{idi))/idi]Y'(T{idio) ■ Hio”/*<^-ro]) 


In-3 


In-4- 


In-5- 


In-6- 


f-0 

hd((T(id/)) = Vi, 


(7{id) 7^ _L 

(F h id : Int) A {vio ^ ! 


(input id, m(f, F, cr)) (input id, m(l/f)) 

f — 0 cr(id) 7^ 1. hd(cr(id/)) — Vio 

(F h id : enum id^) A (F h id' : {/i, ..., Zfc }) A (1 < Vio < k) 
(input id, m(f, F, cr)) —>■ (skip, 

m(cr[Z^. /id, tl(cr(id/))/id/] [“cr(id/o) ■ H.jo’V^^i’o]) 

f — 0 cr(id) 7 ^ ± hd(cr(id/)) — Vio 

(F h id : enum id') A (F h id' : {/i, ...,/fc}) A ->(1 < Vio < k) 
(input id, m(f, F, cr)) —>■ (input id, m(l/f)) 

f = 0 cr(id/) = 0 


Out-1 


(input id, m(f, cr)) —¥ (input id, m(l/f)) 
f ^ 0 V ^ Zl 


Out-2- 


Out-3 


(output V, m(f, cr)) (skip, m(cr[“cr(id7o) ‘ '^’V^^/o])) 

f — 0 Fhid: I /\ V — li G 

(output V, m(f, F, cr)) —¥ (skip, m(cr[“cr(idjo) • F’/idjo])) 


f = 0 F h pmpt : {Zi : ni, ..., Ik : n^} 
“Z : n” e {h : ni, ■ nfc} 

(output Z, m(f, F)) —¥ (output n,m) 


Figure 14: SOS rules for input/output statements 


use rule Crash to treat crash as non-terminating execution, telling 
apart normally terminating executions and others. 

Figure Q4] shows rules for the execution of input/output state¬ 
ments. As to input, there are conversion from values of type Long 
to those of Int or enumeration types but not the prompt type. For an 
enumeration type, the Long-typed value is transformed to the label 
with index of that value if possible. There is crash when value con¬ 
version is impossible. Besides, there is crash when executing input 
statement with empty input sequence. We use standard list opera¬ 
tion hd and tl for fetching the list head(leftmost element) or the list 
tail(the list by removing its head) respectively oa. 

Last, we construct initial state in following steps: First, crash 
flag f, overflow flag of are zero. Second, type environment is ob¬ 
tained after parsing of the program. Third, every loop counter value 
in loop^ is initially zero. Fourth, every scalar variable or array ele¬ 
ment has an entry in value store with some initial value if specified. 
Last, there is initial input sequence and empty FO sequence. 

4.3 Preliminary terms and notations 

We present terms, notations and definitions for program equiva¬ 
lence and backward compatible update classes. 

We use Use(e) or Use(5) to denote used variables in an expres¬ 
sion e or a statement sequence 5; DeffS") denotes the set of defined 
variables in a statement sequence S. The full definitions of Use and 
Def are in appendix IB] 

We use symbol G for two different purposes: x £ X denotes 
one variable to be in a set of variables, s £ S denotes a statement 


to be in a statement sequence. We use the symbol C to refer to 
proper subset relation. 

We call an “If’ statement or a “while” statement as a com¬ 
pound statement; all other statements are simple statements. We 
introduce terms referring to a part of a compound statement. Let 
s = “If(e) thenjS't} else{5/}” be an “If’ statement, we call e in s 
the predicate expression, St/Sf the true/false branch of s. 

5. Program equivalence 

We consider several types of program changes that are allowed 
by “observational equivalence” without user assumptions. These 
changes include: statement reordering or duplication, extra state¬ 
ments unrelated to output(e.g., logging related changes), loop fis¬ 
sion or fusion, and extra statements unrelated to output. Our pro¬ 
gram equivalence ensures two programs produce the same output, 
which means two programs produce same I/O sequence till any out¬ 
put. The program equivalence is established upon two other kinds 
of equivalence, namely equivalent terminating computation of a 
variable and equivalent termination behavior. 

We first define terminating and nonterminating execution. Then 
we present the framework of program equivalence in three steps in 
which every later step relies on prior ones. We first propose a proof 
rule ensuring two programs to compute a variable in the same way. 
We then suggest a condition ensuring two programs to either both 
terminate or both do not terminate. Finally we describe a condition 
ensuring two programs to produce the same output sequence. Our 
proof rule of program equivalence gives program point mapping as 
well as program state mapping. Though we express the program 
equivalence as a whole program relation, it is easy to apply the 
equivalence check for local changes using our framework under 
user’s various assumptions for equivalence. 

5.1 Definitions of execution 

We define an execution to be a sequence of configurations which 
are pairs {S, m) where S' is a statement sequence and m is a ex¬ 
ecution state shown in Figure [Tol Let (Si,mi), (S 2 ,m 2 ) be two 
consecutive configurations in an execution, the later configuration 
(S 2 ,m 2 ) is obtained by applying one semantic rule w.r.t to the 
configuration (Si,mi), denoted (Si,mi) —>■ (S 2 ,m 2 ), called 
one step (of execution). For our convenience, we use the notation 
(S, m) A (S', m') for k steps execution where fc > 0. When we 
do not care the exact (finite) number of steps, we write the exe¬ 
cution as (S, m) A (S',m'). We express terminating executions, 
nonterminating executions including crash in Definition|7]and[^ 

Definition 7. (Termination) A statement sequence S normally 
terminates when started in a state m iff{S,m) —>■ {skip,m'{f)) 
where f = 0. 

Definition 8. (Nontermination) A statement sequence S does not 

k 

terminate when started in a state m ijf, Vfe > 0 : (S, m) —> 
{Skjtnk) where St skip. 

5.2 Equivalent computation for terminating programs 

We propose a proof rule under which two terminating programs 
are computing a variable in the same way. We start by giving the 
definition of equivalent computation for terminating programs right 
after this paragraph. Then we present the proof rule of equivalent 
computation in the same way. We prove that the proof rule ensures 
equivalent computation for terminating programs by induction on 
the program size of the two programs in the proof rule. We also 
list auxiliary lemmas required by the soundness proof for the proof 
rule for equivalent computation for terminating programs. 
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Definition 9. (Equivalent computation for terminating pro¬ 
grams) Two statement sequences Si and S 2 compute a variable x 
equivalently when started in states nii and m 2 respectively, writ¬ 
ten {Si, mi) =x (52, m 2 ), iff {Si, mi) A {skip,m'i{ai>)) and 
{S 2 ,m 2 ) A {skip,m' 2 {o 2 ')) imply oit {x) = 02 r{x). 

5.2.1 Proof ruie for equivaient computation for terminating 
programs 

We define a proof rule under which (5i, mi) = 2 , (52, m 2 ) holds 
for generally constructed initial states mi and m 2 , written 5i =f 
S 2 . Our proof rule for equivalent computation for terminating pro¬ 
grams allows updates including statement reordering or duplica¬ 
tion, loop fission or fusion, additional statements unrelated to the 
computation and statements movement across if-branch. 

Definition [T^ includes the recursive proof rule of equivalent 
computing for terminating programs. The base case is the condi¬ 
tion for two simple statements in Definition m Definition [To] of 
imported variables captures the variable def-use chain which is the 
essence of our equivalence. In Definition[TO| the Def and Use refer 
to variables defined or used in a statement (sequence) or an ex¬ 
pression similar to those in the optimization chapter in the dragon 
book (1; 5“ refers to i consecutive copies of a statement sequence 
5. 

Definition 10. (Imported variabies) The imported variables 
in a sequence of statements 5 relative to variables X, written 
Imp{S, X), are defined in one of the following cases: 

1. Def{S) n X = @:Imp{S,X) =X; 

2. S = “id:= e” or “input id” or “output e” and Def{S) H X 

0 .- 

Imp{S,X) = Use{S) yj {X\ DeffS)); 

3. S = “If{e) then {5t} else {5/}” and DeffS) H X ff %: 

Imp{S,X) = (/ie(e)uUygx {y})UImp{Sf, {y})); 

4. S = “while(e) {5'}” where (DeffS') H X) ff 0): Imp (5, X) 

= {S'\Use{e) U X); 

5. For k > 0, S = si; ...; Sfc+i.' 

Imp{S,X) = Imp{si-, ...■,Sk,Imp{sk+i,X)) 

Definition 11. (Base cases of the proof ruie for equivalent com¬ 
putation for terminating programs) Two simple statements si 
and S 2 satisfy the proof rule of equivalent computation of a variable 
X, written si =f S 2 , iff one of the following holds: 

T Si = S 2 ; 

2. Si ff S 2 and one of the following holds: 

(a) Si = “input idi”, S2 = “input idf",x ^ {idi,id2}: 

(b) Case a) does not hold and x ^ Deffsi) U Def{s 2 ); 

Definition 12. (Proof rule of equivalent computation for ter¬ 
minating programs) Two statement sequences Si and S 2 satisfy 
the proof rule of equivalent computation of a variable x, written 
Si =f S 2 , iff one of the following holds: 

1. Si and S 2 are one statement and one of the following holds: 

(a) Si and S 2 are simple statement: si =f S 2 ,' 

(b) Si = “If (e) then {5[} else {5/}”, S 2 = “If{e) then { 52 } else 
{52 }” such that all of the following hold: 

• X € Deff Si) n Def{S 2 ); 

• (55 55) A {S( si); 

(c) Si = “while(„i){e) {55'}”, 52 = “while(n 2 ){e) {55'}” 

such that both of the following hold: 

• xe DeffSi) n Def{S 2 ); 

• Vy € Imp{Si,{x}) U Imp{S 2 ,{x}) : 5" =y 55'; 


(d) Si and S 2 do not define the variable x: x ^ Def (Si) U 
Def{S 2 ). 

2. Si and S 2 are not both one statement and one of the following 
holds: 

(a) Si = 55; si, 52 = 55; S 2 and last statements both define 
the variable x such that both of the following hold: 

• yy € Imp{si,{x}) Ulmp{s 2 , {*}) : 5} =y 55; 

• Si =f S 2 where x € Deffsi) nDe/(s 2 ); 

(b) Last statement in Si or S 2 does not define the variable x: 

{x ^ Def{s 2 ) A (5i =f 55)) y {x i Deffsi) A (5} 

52)); 

(c) 5i =55; si, S 2 = 55; S 2 and there are statements moving 
in/out of If statement: Si = “If{e)then{Si}else{S{Y\ 
S 2 = “If (e) then {Siff else {Sif" such that none of the 
above cases hold and all of the following hold: 

• yy € Use{e) : 55 55; 

. (55; 55 55; 55) A (55; 5/ 55; 52^); 

The generalization of definition 5i =f S 2 to a set of variables 
is as follows. 

Definition 13. Two statement sequences Si and S 2 have equiva¬ 
lent computation of variables X, written Si =x S 2 , iffyx € X : 
5i 52. 

5.2.2 Soundness of the proof rule for equivalent computation 
for terminating programs 

We show that if two programs satisfy the proof rule of equivalent 
computation of a variable x (Definition \Y2^ and their value stores 
in initial states agree on values of the imported variables relative 
to X, then the two programs compute the same value of x if they 
terminate. We start by proving the theorem for the base cases of 
terminating computation equivalently. 

Theorem 1. If si and S 2 are simple statements that satisfy the 
proof rule for equivalent computation of X, Si =f S 2 , and their ini¬ 
tial states mi{ai) and m 2 {(J 2 ) agree on the values of the imported 
variables relative to x, Vj/ € Imp{si, {x}) U Imp{s 2 , {x}) : 
'fsi (y) ~ crs 2 {y)> then si and S 2 equivalently compute x when 
started in states mi and m 2 respectively, (si, mi) =a, (s 2 , m 2 ). 

Proof. The proof is a case analysis according to the cases in the 
definition of the proof rule for equivalent computation (i.e.. Defini¬ 
tion [TTJ. 

1. Si = S2 

Since the two statements are identical, they have the same 
imported variables. By assumption, the imported variables of 
Si and S2 have the same initial values, so it is enough to show 
that the value of x at the end of the computation only depends 
on the initial values of the imported variables. 

(a) Si = S 2 = “skip”. In this case, the states before and after 
the execution of skip are the same and Imp(skip, {a;}) = 
{x}. 

(b) Si = S 2 = “Ival := e”. 

i. Ival = X. 

Si — S 2 = “x := e”. By the definition of imported 
variables, Imp(a: := e,{x}) = Use(e). The execution 
of Si proceeds as follows. 

{x := e, m{a)) 

—>{x := 5'|[e|(T, m{a)) by the EEvaT rule 
—^(skip, m{a[F'\e\a/x])) by the Assign rule. 

The value of x after the full execution is (j[{S\e\G) / x\{x) 
which only depend on the initial values of the imported 
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variables by the property of the expression meaning 
function, 
ii. Ival 7^ id. 

By the definition of imported variables, Imp(si, {*}) = 
Imp(s2,{at}) = {a;}. It follows, by assumption, that 
ai{x) = a2(x) and also si terminate, (si, mi(cri)) —t- 
(skip,Hence, (J\{x) = 0-1(2:) by Corol¬ 
lary |Ej^ Similarly, S2 terminates, (S2,m2(cr2)) -t- 
(skip, 7712(0-2)) and o-2(x) = 0-2(2:). Therefore, 0-2(®) = 
0-2(2:) = 0-1(2:) = 0-^(2:) and the theorem holds. 

(c) Si = S2 = “input id". 

i. 2: G Def(input id) = {id,idi,idio}. 

By the In rule, the execution of input id is the following. 

(input id, m(a)) 

—^(skip, m{a[tl{a{idi))/idi] 

[“CT(id/o) • hd{a{idi))"/idio][hd{a{idi))/id])). 

The value of x after the execution of “input id” is one of 
the following: 

A. tl(o-(id/)) if 2: = idi. 

B. ai{idio) ■ hd{a{idi)) if 2: = idio- 

C. hd{a(idi)) if x = id. 

By the definition of imported variables, Imp(input id, {2:}) 

= {idio, idi}. So, in all cases, the value of x only de¬ 
pends on the initial values of the imported variables idi 
and idio■ 

ii. X ^ Def(input id) = {id, idi, idio}. 

By same argument in the subcase id ^ x of case si = 

S2 = “id := e”, the theorem holds. 

(d) si = S2 = “output e”. 

i. 2: = idio 

By the definition of imported variables, Imp(output e, {2:}) = 
{idio} U Use(e). The execution of si proceeds as fol¬ 
lows. 

(output e, m{a)) 

—>• (output ^lejcr, m{a)) 

—>-(skip, 77 i(cr[“cr(id/o) • ^Iel|(T”/id 7 ol))- 

The value of x after the execution is “a(idio) • flejcr”, 
which only depends on the initial value of the imported 
variables of the statement “output e” by the expression 
meaning function. 

ii. X 7^ idio 

By same argument in the subcase id ^ x of case si = 

S2 = “id -.= e”, the theorem holds. 

Si 7^ S2 

(a) Si = “input idi”, S2 = “input id2”,x ^ {idi,id2}. 
i. 2: G {idi, idio}. 

By the definition of imported variables, Imp(si, {2:}) = 
Imp(s2, {2:}) = {idio, idi}. Itfollows, by assumption, 
that 0-1(7/) = 0-2(7/), Vy G {idio, idi}. The execution 
of Si proceeds as follows. 

(si, mi) 

= (input idi, mi(0-1)) 

—^ (skip, mi (0-1 [tl(o-i {idi ) )/id7] 

[“o-i(id 7 o) • hd(o-i(idj)) ”/idjo][hd(gi(id/))/idi])) 

Leto-i = ai\d{v)/idi, “(Ji{idio)-fid{v)"/idio,fid{v)/id\\. 
The value of x after the execution of si is one of the fol¬ 
lowing: 

A. 0-^(2:) = tl(o-i(id/)) if 2: = id/. 

B. 0-1(2:) = oi{idio) ■ hd(CTi(id/)) if 2: = idio- 


Similarly, (s2,m2) —>■ (skip, m2(o-2[tl(o-2(id/))/id2] 
[“o-2(id/o) • hd(o-2(id/)) ’7id/o][hd(g2(id/))/id2])). 

Let 0-2 = o-2[tl(CT2(id/))/id/][“o-2(id/o)-hd(CT2(id/))”/id/o] 
[hd(CT2(id/))/id2]. Then the value of x after the execu¬ 
tion of S2 is one of the following: 

A. 0-2 (x) = tl(o-2(id/)) if 2: = id/ 

B. a2(x) = a2{idio) ■ hd(o-2(id/)) if 2: = idio 
Repeatedly, 0-2(id/) = 0-1 (id/) and (J2{idio) = 
ai{idio). Therefore, the theorem holds. 

ii. X ^ {id/, idio} 

Repeatedly, x ^ {idi,id2}. By same argument in the 
subcase id x of case si = S2 = “id := e”, the 
theorem holds. 

(b) all the above cases do not hold and x (/ Def(si) U Def(s2) 

By same argument in the subcase id ^ x of case si = S2 = 

“id ;= e”, the theorem holds. 

□ 

Theorem 2. If statement sequence S\ and S 2 satisfy the proof 
rule of equivalent computation of a variable x, Si =f S 2 , and 
their initial states mi{<Ji) and m2(0-2) agree on the initial val¬ 
ues of the imported variables relative to x, Vt/ G Imp{Si, {x}) U 
Imp{S 2 , {x}) : 0-1(7/) = 0-2(7/), then Si and S 2 equivalently com¬ 
pute the variable x when started in state mi and m2 respectively, 

{Si,mi) =2, ( 52 ,m2). 

Proof. By induction on size(S'i)+size(S'2), the sum of the program 
size of Si and S 2 . 

Base case. 

Si =f S 2 where Si and S2 are two simple statements. This 
theorem holds by theorem[T] 

Induction step 

The hypothesis IH is that Theorem holds when size(Si) + 
size(S2) = k > 2. 

Then we show that the Theorem holdswhensize(Si)-|-size(S2) = 

A: + 1 . The proof is a case analysis according to the cases in the 
definition of the proof rule of terminating computation of statement 
sequence, the two big categories enum 

1 . Si and S2 are one statement such that one of the following 
holds: 

(a) Si and S2 are If statement that define the variable x: 

Si = “If (e) then {S{} else {S/}”, S2 = “If (e) then {S^} 
else {S2 }” such that all of the following hold: 

• X G Def(Si) n Def(S2); 

_ Qt _ S ot . 

• ‘Jl =a; 

• S( S|; 

We first show that the evaluations of the predicate expres¬ 
sion of Si and S2 produce the same value when started from 
state mi((Ti) and m2 (<22), w.l.o.g. say zero. Next, we show 
that S( started in the state mi and S( in the state m2 equiv¬ 
alently compute the variable x. 

In order to show that the evaluations of predicate ex¬ 
pression of Si and S2 produce same value when started 
from state mi{ai) and m2(0-2), we show that the vari¬ 
ables used in predicate expression of Si and S2 are a 
subset of imported variables in Si and S2 relative to 
X. This is true by the definition of imported variables, 

Use(e) C Imp(Si, {x}), Use(e) C Imp(S2, {x}). By as¬ 
sumption, the value stores ai and (T2 agree on the values 
of the variables used in predicate expression of Si and 
S2, <71(7/) = 722(7/), Vt/ G Use(e). By the property of 
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expression meaning function £, the predicate expression 
of Si and S2 evaluate to the same value when started in 
states mi(cri) and m2{u2), = ^^[elo-2, w.l.o.g, 

fjejai = f|[e]CT2 = Then the execution of Si 

proceeds as follows. 

(S'i,mi((Ti)) 

= (If (e) then {Sj} else {Sf }, mi((Ti)) 

-s-(If (( 0 ,Uof)) then {S(} else {S/}, mi(cri)) 
by the EEvaT rule 

—^(If ( 0 ) then {S'!} else {S'/}, mi(cri)) 
by the E-Oflowl or E-Oflow 2 rule 
—>■ (S/, mi ((Ti)) by the If-F rule. 

Similarly, the execution from (s2, m2(cr2)) gets to (S/, m2((T2)). 

By the hypothesis IH, we show that S{ and S/ compute the 
variable x equivalently when started in state mi(ai) and 
m2 (0-2) respectively. To do that, we show that all required 
conditions are satisfied for the application of hypothesis IH. 

• size(S{) + size(S{) < k. 

Because size(Si) = H-size(Si)+size(S/), size(S2) = 

1 + size(S2) + size(S/). 

• the value stores ai and CT2 agree on the values of the 
imported variables in S( and S/ relative to x, ai (y) — 

0 - 2 ( 1 /), Vy € Imp(S/,{ 2 ;}) Ulmp(S/,{a:}). 

By the definition of imported variables, 

Imp(S/,{x}) C Imp(Si, {x}),Imp(S|,{2;}) C Imp(S2, {x}). 

By the hypothesis IH, S( and S/ compute the variable 
X equivalently when started in state mi(ai) and 1112(0-2) 
respectively. Therefore, the theorem holds. 

(b) Si and S2 are while statement that define the variable x\ 

Si = “while<„,)(e) {S{'}”,S2 = “while(„,>(e) 
such that both of the following hold: 

• X £ Def(Si) n Def(S2); 

• S” =y S2 for Vi/£ Imp(Si, {a:}) U Imp(S2, 1 ®}); 

By Lemma 15.21 we show Si and S2 compute the vari¬ 
able X equivalently when started from state mi(ml, 01) 
and m2(m'^, 02) respectively. The point is to show that 
all required conditions are satisfied for the application of 
lemma l 5 . 2 l 

• loop counter value of Si and S2 are zero. 

By our assumption, the loop counter value of Si and S2 
are initially zero. 

• Si and S2 have same imported variables relative to x, 

Imp(Si, {a;}) = Imp (S2, {x}) = Imp(A). 

This is obtained by Lemma BTSl 

• the initial value store 01 and 02 agree on the values 
of the imported variables in Si and S2 relative to x, 
oi(y) = 0-2(1/), Vy £ Imp(Si,{a:}) Ulmp(S2,{a:}). 

By assumption, this holds. 

• S” and S2 compute the imported variables in Si and 
S2 relative to x equivalently, (S"(ogi^i)) =y 
(S2, ins!^('^s'^))j^y £ Imp(A) with value stores ogn 
and ogn agreeing on the values of the imported vari¬ 
ables in S” and S2 relative to Imp(A), ogti(z) = 
o-s''( 2),V2: £ Imp(S{',Imp(A)) U Imp(S2 , Imp(A)). 

By the definition of program size, the sum of the pro¬ 
gram size of Si and S2 is less than k, size(Si) + 
size(S 20 < By the hypothesis IH, Si and S2 com¬ 
pute the imported variables in Si and S2 relative to 
X equivalently when started in states mg!^(ogn) and 
ingi^(ogi^) with value store o-gj/ and og'^ agreeing on 


the values of the imported variables in S" and S2 rela¬ 
tive to the variables Imp(A). 

By Lemma [SA] we show Si and S2 compute the variable 
X equivalently when started from state m,i(m].,oi) and 
m2{m1,02) respectively. The theorem holds. 

(c) Si and S2 do not define the variable x: x ^ Def(Si) U 
Def(S2). 

By the definition of imported variable, the imported vari¬ 
ables in Si and S2 relative to x are both x, Imp(Si, {*}) = 

Imp(S2, {s}) = {x}. By assumption, the initial values 
(71 and (72 agree on the value of the variable x, oi(x) = 

02(x). In addition, by assumption, execution of Si and 
S2 when started in state mi{oi) and 11x2(02) terminate, 
(Si,mi(( 7 i)) A (sk ip, Tn 'i(o'i)), (S2, 11x2(02)) A (skip, m2(a2)). 
Finally, by Corollary IE. 2 I the value of x is not changed in 
execution of Si ^nd S2, o'i(x) = oi(x) = 02(x) = 02(x). 

The theorem holds. 

Si and S2 are not both one statement such that one of the 
following holds: 

(a) Last statements both define the variable x such that all of 
the following hold: 

• S{ =y S2, Vy £ Imp(si, {a;}) Ulmp(s2, {a;}); 

• X £ Def(si) n Def(s2); 

• Si =f S2; 

We show that S'l and S2 compute the imported variables in 
Si and S2 relative to the variable x equivalently when started 
in state ini(oi) and 1112(02) respectively by the hypothesis 
IH. To do that, we show the required conditions are satisfied 
for applying the hypothesis IH. 

• size(S{) -I- size(S2) < k. 

By the definition of program size, size(si) > 1, 

size(s2) > 1. Hence, size(Si) -I- size(S2) < k. 

• the executions from (Si,mi(ai)) and (S2,012(02)) 
terminate respectively, 

(S'i,ini(oi)) A (skip, m'l'((7})), (S2,10.2(02)) A 
(skip, m2 (( 72 ))- 

By assumption, the execution from (S'l, mi((7i)) and 
(S2, 012(02)) terminate, then the execution of S'l and 
S2 from state mi((71) and m2((72) terminate, (Si,mi((7i)) A 
(skip,mi(CT{')). (82,012(02)) A (skip, m2 ((72))- 

• the initial value stores agree on the values of the vari¬ 
ables: 

Imp(S{, Imp(si, I®})) U Imp(S2, Imp(s2, {2:})). 

By Lemma 15.31 si and S2 have the same imported 
variables relative to x, Imp(si,{a;}) = Imp(s2,{a;}) 

= Imp(a;). By the definition of imported variables, im¬ 
ported variables in S'l relative to Imp(a;) are same as the 
imported variables in Si relative to x, Imp(Si, Imp(si, {tc})) = 
Imp(Si, {*}). Similarly, Imp(S2, Imp(s2, 1 ®})) = 

Imp(S2, {*}). Then, by assumption, the initial value 
stores agree on the values of the variables Imp(Si, Imp(si, {a;})) 
andVy £ Imp(S{, Imp(si, {a;})) U Imp(S2, Imp(s2, {a;})), 
Imp(S2,Imp(s2,{®})), (71 (y) = 02(y). 

By the hypothesis IH, after the full execution of Sj from 
state 011(01) and the execution of S2 from state 012(02), 
the value stores agree on the values of the imported variables 
in Si and S2 relative to x, oi(y) = <72 (y), Vy £ Imp (x) = 

Imp (si, {a:}) = Imp (s2, {a:}). 

Then, we show si and S2 compute x equivalently. By Corol¬ 
lary lEHl Si and S 2 continue execution after the full ex¬ 
ecution of Si and S2 respectively, (Sj; si, mi((7i)) A 
(si,mi(CT{')), (Sy, 82,012(02)) A (s2, m2 ((72))-When 
Si and S 2 are while statements, by our assumption of unique 
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loop labels, si is not in S'l- By Corollary IE. 4 I the loop 
counter value of si is not redefined in the execution of S[. 
Similarly, the loop counter value of S2 is not redefined in the 
execution of S2- By the hypothesis IH again, after the full 
execution of si and S2, the value stores agree on the value 
of X, (si,mi((Ti)) A (skip,mi(A)), (S2,m2(cr2)) A 
(skip,7712(0-2)) such that = 0-2(0:). The theorem 

holds. 

(b) One last statement does not define the variable x: W.l.o.g., 
{x i Def(s2)) A (Si S'2). 

We show that Si and S2 compute the variable x equiv¬ 
alently when started from state mi (0-1) and m2 (0-2) by 
the hypothesis IH. First, by the definition of program size, 
size(s2) > 1. Hence, size(Si) -|- size(S2) < k . Next, 
by the definition of imported variables. Imp (S2, {0:}) C 
Imp (S2, {0:}). By assumption, — 0-2(1/) for Vy € 

Imp (S2, -[o;}) U Imp (Si, {0;}). By the hypothesis IH, Si 
and S2 compute the variable x equivalently when started in 
state mi(0-1) and m2{o'2) respectively, (S2,m2(o-2)) —7 
(skip,m2(o-2)), (Si,mi(o-i)) A (skip, mi(o-()) such 
that o-((o;) = 0-2 (x). 

Then, we show that Si and S2 compute the variable x equiv¬ 
alently after the full execution of S2- By Corollary lETl 
S2 continues execution immediately after the full execu¬ 
tion of S2, (S2; S2, m2) A (s2, m2). By assumption, the 
execution from {S2, 82,1x12) terminates, (s2, rri2 (0-2)) 
(skip, m2(0-2)). By Corollary IE .21 the value of x is not 
changed in the execution of 82, <X2(x) = 0-2 (x). Hence, 
a-'i(x) = <72 (x). The theorem holds. 

(c) There are statements moving in/out of If statement: 

Si = “If (e) then {Sj} else {S/}”, S2 = “If (e) then {S2} 
else {S2 }” such that none of the above cases hold and all 
of the following hold: 

• S; S'2 forVy £ Use(e); 

^ 0/. at _ S 0/. at. 

• Oi,Oi =x 

• s[-,s( =f S^;S^; 

• X € Def(si) n Def(s2); 

Repeatedly Si = Sj; si, S2 = S2; S2. We first show that, 
after the full execution of S[ and S2 started in state mi and 
m2, the predicate expression of si and 82 evaluate to the 
same value, w.l.o.g, zero. Next we show that Si and S [; S( 
compute the variable x equivalently when (1) both started 
in state mi and ( 2 ) the predicate expression of si evaluates 
to zero after the full execution of S'l started in state mi, 
similarly S2 and S2; S2 compute the variable x equivalently 
when (1) both started in the state m2 and ( 2 ) the predicate 
expression of 82 evaluates to zero after the full execution of 
Si when started in state m2. Last we prove the theorem by 
showing that Sj; S( started in state mi and S2; S| started 
in state m2 compute the variable x equivalently. 

In order to show that Sj and S2 compute the variables 
used in predicate expression of si and 82 equivalently by 
the hypothesis IH, we show that all required conditions are 
satisfied for the application of hypothesis IH. 

• size(S() + size(S2) < k. 

The sum of program size of Sj and S2 are less than k by 
the definition of program size for si and S2, size(S'i) + 
size(S'2) < k. 

• the execution of S[ and S2 terminate, (S'i,mi) 
(skip, mAcTi)), and (S'2, m2) A (skip, m^'(0-2)). 

By assumption, the execution of Si and S2 from the 
state mi and m2 respectively terminate, then the exe¬ 


cution of Si and S2 terminate when started in state mi 
and m2 respectively. 

• the initial value stores ai and <72 agree on the values 

of the imported variables in Si and S2 relative to the 
variables used in the predicate expression of si and 82- 
By Lemma [531 the imported variables in S[ and S2 rel¬ 
ative to the variables used in predicate expression of si 
and S2 are same, Imp(Si, Use(e)) = Imp(S2, Use(e)) = 
Imp(e). By the definition of imported variable, the im¬ 
ported variables in S'l relative to the variables used in 
predicate expression of si are a subset of the imported 
variables in Si relative to x respectively, Imp(Si, Use(e)) C 
Imp(S(, Imp(si, {x})) = Imp(Si,{x}). Similarly 

Imp(S2, Use(e)) C Imp(S2, {x}). Then, by assump¬ 
tion, the initial value stores agree on the values of the 
imported variables in Sj and S2 relative to the vari¬ 
ables used in the predicate expression of si and 82, 
cri(y) = cr2(y),Vy £ Imp(e) = Imp(S(,Use(e)) = 
Imp(S2,Use(e)). 

By the hypothesis IH, after the full execution of S[ and 
S2, the value stores agree on the values of the variables 
used in the predicate expression of si and 82, <7”{y) = 
^2(1 /),£ UseieL By Corollarv lE.il si and S2 con¬ 
tinue execution after the full execution of Sj and S2 respec¬ 
tively, (S(;si,mi) A (si,mi(o'i))-and (S2;S2,m2) A 
i82,mU^2))- 

By the property of expression meaning function £, expres¬ 
sion e evaluates to the same value w.r.t value stores a” and 
a2, w.l.o.g., zero, ^|[e|(Ti = ^|[e|(T2 = 0 . Then the execu¬ 
tion of Si proceeds as follows. 

(si,mi'(a(')) 

= (If (e) then {Sj} else {S'/}, m”(cr”)) 

—/■(If ( 0 ) then {Si} else {S/}, m"{a”)) by the EEval rule. 

(cTi)) by the If-E rule. 

Similarly, the execution from (s2, m2 {(x'i)) gets to (S/, m2 (0-2)). 

Then, we show that Si and S}; S{ compute the variable 
X equivalently when both started from state mi((Ti). The 
execution of S}; S{ started from state mi also gets to con¬ 
figuration (S/, m”((Ji)) because execution of Si = S}; si 
and Si;S/ share the common execution (Si,mi) A 
(skip, m"((Ti)). By Corollarv lE.il S{ continues execution 
after the full execution of S}, (S}; S/, mi) A (Sf, rn'i). 
Therefore, the execution of Si and S}; S{ from state mi 
compute the variable x equivalently because both execu¬ 
tions get to same intermediate configuration. Similarly, S2 
and S2; S| compute the variable x equivalently when both 
started from state m2 (0-2). 

Lastly, we show that S}; S{ and S2; S/ compute the vari¬ 
able X equivalently when started in states mi((Ti) and 
m2 (172) respectively by the hypothesis IH. To do that, we 
show that all required conditions are satisfied for the appli¬ 
cation of hypothesis IH. 

• size(S}; S{) -|- size(S2; S|) < fc. 

This is obtained by the definition of program size. 

• execution of S}; S{ and S2; S| terminate when started 
in state mi(( 7 i) and m2(0-2) respectively. 

This is obtained by above argument. 

• = 0-2(5/), Vy e Imp(S{;S'/, {x})Ulmp(S2; {x}). 
We show that Imp(S{; S'/, {x}) C Imp(Si,{x}) as 
follows. 

Imp(S/,{x}) 
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C Imp(si, {*}) ( 1 ) by the definition of imported variables. 

Imp( 5 (; 5 'f,{a:}) 

= Imp( 5 i, Imp( 5 '/, {i})) by Lemma|CT| 

C Imp( 5 j,Imp(si,{x})) by ( 1 ) 

= Imp( 5 i, {a;}) by the definition of imported variables. 

Similarly, Imp(S'2; S^, {a;}) C Imp(S2, {a;}). Then, by 
assumption, the initial value stores agree on the values 
of the imported variables in S'l; S( and S^', relative 
to X. 

Then, by the hypothesis IH, after the full execution of 
Si;S( and 82', S^, the value stores agree on the value 
of a:, A (skip, mi(CTi)), (S'j; m2) A 

(skip, m2(0-2)) such that CTi(a:) = ^^(a;). 

In conclusion, after execution of S'l and S2, the value stores 
agree on the value of x. Therefore, the theorem holds. 

□ 

5.2.3 Supporting lemmas for the soundness proof of 

equivalent computation for terminating programs 

The lemmas include the proof of two while statements computing a 
variable equivalently used in the proof of Theorem|^and the prop¬ 
erty that two programs have same imported variables relative to a 
variable x if the two programs satisfy the proof rule of equivalent 
computation of the variable x. From the proof rule of terminating 
computation of a variable x equivalently, we have the two programs 
either both define x or both do not. 

LemmaS.l. Letsi = “while{Si}” andS2 = (e) 

{S2} ” be two while statements with the same set of imported vari¬ 
ables relative to a variable x (defined in si and S 2 ), Imp{x), and 
whose loop bodies Si and S2 terminatingly compute the variables 
in Imp(x) equivalently when started in states that agree on the 
values of the variables imported by Si or S2 relative to Imp{x): 

• X G Def{si) n Def{s2); 

• Imp{si, {a;}) = Imp{s2, {a;}) = lmp{x); 

• My G Imp{x),Mmsi{cTSi),ms2{tTS2) ■ 

{{Mz € lmp(Si, Imp{x)) yj Imp{S2,Imp{x)) : os-^^{z) = 

0 - 32 ( 2 )) ^ («S'i,msi(crsJ) =y (S2,ms2(crs2)))- 

If the executions of Si and S2 terminate when started in 
states mi (loop}, ai) and m2(loop}., 02) in which si and S2 
have not already executed (loop counter initially 0: loop^(ni) = 
loop}.(n2) = 0 ), and whose value stores cti and 02 agree on the 
values of the variables in Imp(x), My G lmp{x), (Ji{y) = 0-2(1/), 
then, for any positive integer i, one of the following holds: 

1 . The loop counters for si and S2 are always less than i: 

Mm'i,m2 such that (si, mi) A (Si,m'i(loop} ) and (s2,m,2) 

(S2,m2(loopl')), 

loop} (m) < i and loop} (122) < i; 

2 . There are two configurations (si,mi^) and (S2,m2-) reach¬ 
able from (si,mi) and (s2,m2), respectively, in which the 
loop counters of si and S2 are equal to i and value stores agree 
on the values of imported variables relative to x and, for ev¬ 
ery state in execution, (si,mi) A (si,mi.) or (s2,m2) A 
(s2, m2^ ) the loop counters for si and S2 are less than or equal 
to i respectively: 

3 (si,miJ,(s 2 ,m 2 i) : (si,mi) ^ (si,mi.(loop}^ ,al^)) A 
(82,012) A (s2,m2^(loop}f 02^)) where 

• loop}* (ill) = loop}* (112) = i; and 

• My G Imp(x) : ai^ (y) = 1x2^ (y) and 


• Mm'i : (si,mi) A (S'i,m'i(loop} )) A 
(si,mi.(loop}* ,aij), loop} (m) < i; and 

• Mm'2 : (S2,m2) A (S 2 ,m 2 (loop} )) A 

(s2,m2i(loop}* ,(J2i)), loop} (0.2) < i; 

Proof. By induction on i. 

Base case, i = 1 . 

By assumption, initial loop counters of Si and S2 are of value 
zero. Initial value stores ai and 02 agree on the values of the 
variables in Imp(a;). Then we show one of the following cases hold: 

1 . The loop counters for si and S2 are always less than 1 : 

Mm}, m2 such that (si, mi) A (S(, m'i(loop), )) and (s2,m2) 

A (S2,m'2(loop} )),loop), (m) < landloop^ (02) < 1; 

2 . There are two configurations (si,mij) and (s2,m2j) reach¬ 
able from (si,mi) and (s2,m2), respectively, in which the 
loop counters of si and S2 are equal to 1 and value stores agree 
on the values of imported variables relative to x and, for ev¬ 
ery state in execution, (si,mi) A (si,mij) or (s2,m2) A 
(s2, m2i) the loop counters for si and S2 are less than or equal 
to one respectively: 

3 (si,miJ, (S2,m2i) : (si, mi) A (si, mi^ (loop),i, ui J)A 
(S2,m2) A (s2,m2i(loop^i,o-2i)) where 

• loop):i(ni) = loop}* (0.2) = 1 ; and 
•MyG Imp(a:) : ai^ (y) = 02^ (t/); and 

• Vm'i : (si,mi) A (5( , mi(loop), )) A (si, mi^ (loop),\aij) 
loop); (m) < 1 ; and 

• Mm'2 : (S2,m2) A (S2,m2(loop) )) A (s2,m2i(loop)i,CT2 i)) 

loop) (n2) < 1. 

We show evaluations of the predicate expression of si and S2 
w.r.t value stores cri and 02 produce same value. By the defini¬ 
tion of imported variables, Imp(si, {2;}) = Ui>o I™P('S'ii {*} U 
Use(e)). By our notation of S^, Si = skip. By the definition of 
imported variables, Imp( 5 'i, {a:} UUse(e)) = {2;} UUse(e). Then 
Use(e) C Imp(2;). By assumption, value stores cri and 02 agree 
on the values of the variables in Use(e). By Lemma lDT] the predi¬ 
cate expression e of si and S2 evaluates to same value v w.r.t value 
stores (Ji,a2, f^JeJiTi = f'|[e]a2 = v. Then there are two possi¬ 
bilities to consider. 

1 . f'|e|cri = f'|e|cr2 = V = 0 

The execution from (si, mi(loop), cti)) proceeds as follows. 

(si, mi(loop), (Ji)) 

= (while(„^)(e) {S'l}, mi(loop))) 

—/(while^nj) ( 0 ) {Si}, miQoop))) by the EEvaT rule 
—^(skip, mi(loop)[ 0 /ni])) by the Wh-E rule. 

Similarly, (s2, m2 (loop), 0-2)) A (skip, m2(loop)[0/n2])). 

In conclusion, the loop counters of si and S2 in any states of 
the execution from (si, mi) and (s2, m2) respectively are less 
than 1 , Mm'i,m'2 such that (si,mi) A (Si',m}(loop) ) and 
(S2,m2) A (S2', m2(loop) )),loop) (m) < 1 , loop) (112) < 

1. 

2. S'|e|cri = S'|e|cr2 = v 7^ 0 

The execution from (si, mi(loop), cti)) proceeds as follows. 

(si, mi(loop), CTi)) 

= (while(„j)(e) {Si}, mi(loop), cti)) 

—/(while^nj) (w) {Si}, mi(loop), CTi)) by the EEvaT rule 
-s-(Si; while(„^)(e) {Si}, mi(loop)[l/(ni)], cti)) 
by the Wh-T rule. 
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Similarly, (s2, m2(loop^, (T2)) —>■ (S2; while^^^) (e){52}, m2 
(loop^[1/(712)], cr2))- Then, the loop counters of si and S2 are 
1, value stores ai-^ and (T2 i agree on values of variahles in 
Imp]®): loop^[l/ni](7ii) = 

loop2[1/(712)1 (712) = 1; andVj/ € Imp(®), aii (7/) = 0-21(7/). 

By assumption, the execution of si terminates when started in 
the state mi(,o-i), then the execution of Si terminates when 
started in the state mi(loop), [1/(711)], cti), (si, mi) A 
(Si;while(„i)(e){S'i},mi(loop):[l/( 7 ii)],o-i)) A (skip,mi) ^ 
( 5 i,mi(loop]:[l/(ni)],o-i)) A (skip, mij (loop],i, crii)). 
Similarly, the execution of S2 terminates when started in the 
state m 2 (loop^[l/( 7 i 2 )], 0-2), 

(S'2,m2(loop^[l/(7i2)],o-2)) A (skip,m2i(loop^\CT2i)). 

We show that, after the full execution of Si and S2, the follow¬ 
ing four properties hold. 

• The loop counters of si and S2 are of value 1, loop);^ (ni) = 
loop^i(7i2) = 1. 

By assumption of unique loop labels, si ^ Si. Then, the 
loop counter value of 711 is not redefined in the execution of 
Si hv corollarv lE.4l loop]:fl/(?ii IKwi) =loop),A7^i) = 1- 
Similarly, the loop counter value of 712 is not redefined in 
the execution of S2, loop^[1/(712)](112) = loop^^ (^2) = 1. 

• In any state in the execution (si,mi) A (si, mij (loop],^, ai^)), 
the loop counter of si is less than or equal to 1. 

The loop counter of si is zero in any of the two states in 
the one step execution (si,mi) —^ (while^„j)(77) {Si}, 
mi (loop}, jCri)), and the loop counter of si is 1 in any 
states in the execution 

(Si; while(„j)(e) {Si},mi(loop}[7/(7ii)],cri)) A 

(si,mii(loop}i,crii)). 

• In any state in the executions (s2, m2) A (s2, m2i (loop}^, a2^)] 
the loop counter of S2 is less than or equal to 1. 

By similar argument for the loop counter of si. 

• The value stores ai^ and a2i agree on the values of the 
imported variahles in si and S2 relative to the variable x: 

Vt/ € Imp(®), (Til (y) = <^2i (y). 

We show that the imported variables in Si relative to those 
in Imp(®) are a subset of Imp(®). 

Imp(Si, Imp(®)) 

= Imp(Si, Imp(si, {x} U Use(e))) by the definition of Imp(a 
= Imp(Si, [Jj>o , {*} U Use(e))) 

by the definition of imported variables 
= [Jj>o Imp(Si, Imp(S{, {x} U Use(e))) by Lemma|C2] 

= [Jj>o Itnp(>S'i i {a:} U Use(e)) by Lemma lCTI 
C [Jj>o Imp]-?'} , {x} U Use(e)) 

= Imp(si, {x} U Use(e)) = Imp(®). 

Similarly, Imp(S2, Imp(®)) C Imp(®). Consequently, 
the value stores ai^ and a2^ agree on the values of the 
imported variables in Si and S2 relative to those in Imp(®), 

Vy € Imp(Si,Imp(®))Ulmp(S2,Imp(®)),cri(y) = (T2(y). 
Because Si and S2 have computation of every variable in 
Imp(®) equivalently when started in states agreeing on the 
values of the imported variables relative to Imp(®), then 
value store ttii and (T2 i agree on the values of the variables 
Imp(®), Vy G Imp(®), (Til iv) = ^2^ (y). 

It follows that, by corollarv lE.il 

(Si; si,mi(loop}[l/7Ti],cri)) A (si, mii (loop}7 , (t1i)) and 
(S2;S2,m2(loop}[l/7T2],(T2)) A (S2, m2i (loop^^ , Cr2i )). 

Induction Step. 


The induction hypothesis IH is that, for a positive integer i, one of 
the following holds: 

1 . The loop counters for si and S2 are always less than i: 

Vm{,m2 such that (si, mi) A (SJ, m'i(loop} ) and {82,1x12) A 

(S 2 , 7 Tl 2 (loop} )), 

loop} (tti) <i and loop} (712) < i; 

2 . There are two configurations (si, mi^) and (s2 , m2i) reachable 
from (si,mi) and (82,1112), respectively, in which the loop 
counters of si and 82 are equal to i and value stores agree on the 
values of imported variables relative to x and, for every state in 
execution, (si,mi) A (si,mii) and (82,1x12) A (82,1x12^) 
the loop counters for si and 82 are less than or equal to i 
respectively: 

3 (si,miJ, (S2,m2j : (si, mi) A (si, mi. (loop}% (tiJ) A 
(82,1x12) - 7 - (s2,m2i(loop}%(T2i)) where 

• loop}* (711) = loop}* (712) = i; and 

• Vy G Imp(®), (Ti^ (y) = (J2i (y); and 

• Vm'i : (si,mi) A (S{, m}(loop} ) A 
(si,mi. (loop}*,criJ), loop} (tti) < i; and 

• Vm2 : (82,1112) A (S2,m2(loop} )) A 

(s2,m2i(loop}*,(T2i)), loop} (712) < i. 

Then we show that, for the positive integer i + 1 , one of the 
following holds: 

1 . The loop counters for si and 82 are always less than i + 1 : 
Vm'i,m2 such that (si, mi) A (S{, m'i(loop} )) and (s2,m2) 

A ( 52 , m2 (loop}')), 

loop} (tii) <7 + 1 and loop} (712) <7 + 1 ; 

2 . There are two configurations (si,mi.^j) and (s2,m2-^,^) 
reachable from (si,mi) and (82,1112), respectively, in which 
the loop counters of si and S2 are equal to 7 + 1 and value 
stores agree on the values of imported variables relative to x 
and, for every state in executions (si, mi) A (si, mi ^) and 
(82,1112) A (s2,m2i_,.j) the loop counters for si and 82 are 
less than or equal to 7 + 1 respectively: 

3 (si, mi._^J, (S2, m2-_^J : (si, mi) A (si, mi._^j (loop}*+i, 

N o-ii+i)) A (S2, m2) A (s2,m2i_^i(loop}*+*,(T2i_^J) where 

• loop }*+7 (ni) = loop }*+7 (712) = 7 + 1 ; and 

• Vy G Imp(®), (Ti,+i (y) = (T2 ,+i (y); and 

• Vm'i : (si,mi) A (S'}, m}(loop} )) A 
(si,mi^^i(loop}*+i,(Ti^^J), loop} (tii) <7 + 1 ; and 

• Vm} : (82,1112) A (S},m}(loop} )) A 
(S 2 ,m 2 i+i(loop}*+l,CT 2 i+i)), loop} (712) < 7 + 1 . 

By the hypothesis IH, one of the following holds: 

1 . The loop counters for si and 82 are always less than i: 

Vm'i,m} such that (si,mi) A (S}, m'i(loop} ) and (82,1112) 

A (S2,m}(loop}')), 

loop} (ill) <7 and loop} (712) < v. 

When this case holds, then we have the loop counters for si and 
82 are always less than 7 + 1 : 

Vm'i,m} such that (si,mi) A (S{, m'i(loop} ) and (82,1x2) 

A (S2,m}(loop}')), 

loop} (ni) < 7+1 and loop} (1,2) <7 + 1 . 

2 . There are two configurations (si, mi.) and (82,1112 ■) reachable 
from (si,mi) and (82,112), respectively, in which the loop 
counters of si and 82 are equal to i and value stores agree on the 


15 


2015 / 9/14 


values of imported variables relative to x and, for every state in 
executions (si,mi) A and (s2,m2) A {s2,m2^) 

the loop counters for si and S2 are less than or equal to i 
respectively: 

(S2,m2j : (si, mi) A (si, mi. (loopJS aij) A 
(s2,m2) A (s2,m2i(loop^Acr2i)) where 

• loop),* (ni) = loop)* (n2) = i; and 

• Vy G Imp(a:), cri^ (y) = CT2i (y); and 

• Vm'i : (si,mi) A (S),m'i(loop) ) A (si,mi-(loop)*, 
,CTiJ), loop) (m) < i; and 

• Vm2 : (S2,m2) A m2(loop) )) A (s2,m2i(loop)*, 
),o-2i)), loop)'(n2) < i. 

By similar argument in base case, evaluations of the predicate 
expression of si and S2 w.r.t value stores ai^ and a2^ produce 
same value. Then there are two possibilities: 

(a) f'|e|cri, = S'le}a2i = (O.Uof) 

The execution from (si,mi(loop), cti)) proceeds as fol¬ 
lows. 

(si,mi.(loop)*,(7iJ) 

= (while(„^)(e) {Si}, mi,(loop)*, ctiJ) 

->-(while(„^)((0, Wof)) {Si}, mi,(loop)*, cti,)) by the EEvaT 
-s-(while(„,) (0) {Si}, mi, (loop)*, cti, )) 
by the E-Ofiowl and E-Oflow2 rule 
—^(skip, mi, (loop)* [0/ni], cti, )) by the Wh-E rule. 

By the hypothesis IH, the loop counter of si and S2 in any 
configuration in executions (si, mi) A (si, mi, (loop)*, cti, )) 
and (s2,m2) A (s2,m2,(loop)*,CT2,)) respectively are 
less than or equal to i, 

Vm'i : (si,mi) A (S{,m'i(loop) ) A (si,mi,(loop)*, 
,CTi,)), loop) (m) < i; and 

Vm2 : (S2,m2) A (S2,m2(loop) )) A (s2,m2,(loop)*, 

),CT2,)), loop) (n2) < i. 

Therefore, the loop counter of si and S2 in any configura¬ 
tion in executions 

(si,mi) A (skip,mi,(loop)* \ {(ni)},CTi,)) and 
(s2,m2) A (skip, m2, (loop)* [0/712], CT2,)) respectively 
are less than i -|- 1. 

(b) S'|e|CTi, = S'|[e]CT2, = v ^0 

The execution from (si, mi, (loop)*, cti, )) proceeds as fol¬ 
lows. 

(si,mi, (loop)*,CTi,)) 

= (while(„^)(e) {Si}, mi,(loop)*, cti,)) 

—^(while(„,) (w) {Si}, mi, (loop)*, Cti,)) by the EEvaT rule 
->-(Si; while(„,)(e) {Si}, mi,(loop)* [i-|- l/(ni)] 

, CTi,)) by the Wh-T rule. 

Similarly, (s2,m2, (loop)*, CT2,)) A (S2; while(„2) (e){S2}, 
m2i (loop)* [i -I- 1/(712)], CT2,)). 

By similar argument in base case, the executions of Si 
and S2 terminate when started in states mi, (loop)* [i -|- 
1/(711)], ,CTi,) and m2,(loop)*[i -|- 1/(712)], CT2,) respec¬ 
tively, (Si;si,mi,(loop)*[i-I-1/(711)],CTi,)) A 
(si,ttiii+i(loop)*+*,CTi,_^j)) and (S2; si,m2,(loop)*[i -|- 

1/(712)], CT2 ,)) a is 2 ,m 2 i^^(\oopl*+^,a 2 i^^)) such that 
all of the following holds: 

• loop)*+* (711) = loop)*+* (712) = i + 1 ; and 

• Vt/ G Imp(a;), cti,_^, {y) = CT2,+i (y), and 

• in any state in the execution 

(7Si,mi,) A (si,mi,_^i(loop)*+*,CTi,_^i)), the loop 
counter of si is less than or equal to i -T 1. 


• in any state in the executions 
(S2,m2,) A (s2,m2,+i(loop)*+i,CT2,+i)), the loop 
counter of S2 is less than or equal to i -T 1. 

With the hypothesis IH, there are two configurations (si, mi, 
and (s2,m2,_,_i) reachable from (si,mi) and (s2,m2), re¬ 
spectively, in which the loop counters of si and S2 are equal 
to 1 -T 1 and value stores agree on the values of imported 
variables relative to x and, for every state in executions 
(si,mi) A (si,mi,^J and (s2,m2) A (s2,m2,_^J the 
loop counters for si and S2 are less than or equal to i -f 1 
respectively: 

3 (si,mi,_^,), (S2,m2,+i) : 

(si,mi) A (si,mi,+i(loop)*+i,CTi,^J)A 
(S2,m2) A (s2,m2,+i(loop)*+i,CT2,+J) where 

• loop)*+i (711) = loop)*+i (712) = 1 3- 1; and 

• Vy G Imp(x), CTi,^j (7/) = CT2,+i (t/); and 

• Vm'i : (si,mi) A (5{, m'i(loop) )) A 
(si,mi,^j(loop)*+i,CTi,^J), loop) (m) < i-|-l;and 

• Vm 2 : (S 2 ,m 2 ) A (S 2 ,m 2 (loop) )) A 

(S2,m2,^l(loop)*+l,CT2,^J), loop) (712) <7-1-1. 

rule 

□ 

Lemma 5 . 2 . Let si = {Si}” and S2 = “while 

{S'2} ” be two while statements with the same set of imported vari¬ 
ables relative to a variable x (defined in si and S2), and whose loop 
bodies Si and S2 terminatingly compute the variables in Imp(x) 
equivalently when started in states that agree on the values of the 
variables imported by Si or S2 relative to Imp{x): 

• X € Def{si) nZ)e/(s2); 

• Imp{si, {x}) = Imp(s2, {x}) = Imp{x); 

•My G Imp{x) Vmsi(CTsJ ms2(CTS2) : 

((Mz G Imp{Si,lmp{x))Ulmp{S2,lmp{x)),asi(z) = cts2(z)) 

((S'i,msi(CTSi)) =y (S2,ms2(o-S2)))- 

If the executions of si and S2 terminate when started in 
states nii(loop}, ai) and m2{loop^,a2) in which si and S2 
have not already executed (loop counter initially 0 : loop],(ni) = 
/oop)( 772 ) = 0 ), and whose value stores cti and CT2 agree on 
the values of the variables in Imp(x), My G Imp(x) oi(y) = 
(f2{y), when Si and S2 terminate, (si,mi) A (skip,mi.(a'i)) 
and (s2, m2) A (skip, m2, (ct^)), value stores ct{ and a'2 agree on 
the value of x, ct{(x) = CT2(x). 

Proof. We show that there must exist a finite integer k such that the 
loop counters of si and S2 in executions started in states mi and 
m2 is always less than k. By the definition of terminating execu¬ 
tion, there are only finite number of steps in executions of si and 
S2 Started in states mi and m2 respectively. Then, by Lemma IE]^ 
there must be a finite integer k such that the loop counter of si and 
S2 is always less than k. In the following, we consider k be the 
smallest positive integer such that the loop counter of si and S2 in 
executions started in states mi and m2 is always less than k. 

By Lemma fsTl there are two possibilities: 

1 . The loop counters for si and S2 are always less than 1 (fc = 1 ): 
Vm'i, m2 such that (si, mi) A (S{, m'i(loop) )) and (s2,m2) 
A ( 5 ^, m^(loop)')), 

loop) (ni) < 1 and loop) (712) < 1 ; _ 

By the proof in base case of Lemma Ism the execution of si 
proceeds as follows: 
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(si,mi) 

= (while<„j)(e) {51},mi(loopJ,cri)) 

—^(while^nj) ( 0 ) {S'!}, mi(loopJ, CTi)) by the EEval’ rule 
—^(skip, mi(loop^ [ 0 /(ni)], cti)) by the Wh-F rule. 

Similarly, the execution of si proceeds to 

(skip, m 2 (loop^[ 0 /n 2 ], (J2)). Therefore, crj = ai and (J2 = 

cr 2 . 

By the definition of imported variables, x G Imp(si, {a;}). By 
assumption, value stores ai and (T2 agree on the value of x, 
cr( (2:) = cri(x) = (72 (x) = (72 (x). The lemma holds. 

2 . For some finite positive k(> 1 ), both of the following hold: 

• The loop counters for si and S2 are always less than k: 
Vm'i,m2 such that (si,mi) —>■ (SJ, mi(loop^ ) and 

(S 2 ,m 2 ) 4 (S' 2 ,m^(loopf)), 

loop^ (ni) < k and loop^ (712) < A:; 

• There are two configuration and (s2,m2^_^) 

reachable from and ( 82 , 1 x 12 ), respectively, in 

which the loop counters of si and 82 are equal to fc — 1 
and value stores agree on the values of imported variables 
relative to x and, for every state in execution, (si, mi) —>■ 

or (S 2 ,m 2 ) 4 (s 2 ,rn 2 ^_^) the loop counters 
for Si and 82 are less than or equal to A: — 1 respectively: 
3 (si,mi^_J,(s 2 ,m 2 ^_J : 

(si,mi) 4 (si,mi^_i(loopc'‘“\( 7 i^_J)A 
(S2,m2) 4 (s 2 ,m 2 fc_i(loopc''“\( 72 fc_i)) where 

■ loopc*’”^ (ni) = loopc*’”^ (712) = A: — 1 ; and 

■ Vy € Imp(x) : crij^_j (y) = G2^_^ (y)\ and 

■ Vm'i : (si,mi) 4 (S'J,mi(loopJ ) 4 
(si,mij^_j(loopc'‘“\( 7 i^_J), loop^ (m) < A - 1 ; 
and 

■ Vm 2 : ( 82 , m 2 ) 4 (S' 2 ,m 2 (loop^ )) 4 

(s2,?n2fc_i(loopc''"\cr2fc_J), loop^ (712) < A- 1 ; 

By proof of Lemma O value stores and ( 72 ^_j agree 

on the values of the variables in Use(e). By Lemma ID. II 
^'|e|( 7 i^_,^ = f'|[e]CT2i,_i = u. Because the loop counter of 
Si and 82 is less than A in executions of si and S2 when started 
in states mi and m2, then by our semantic rules, the predicate 
expression of si and S2 must evaluate to zero w.r.t value stores 
o-u_i anda 2 fc_i,£:'|Ie]ai^_i ^ S'lelG2^_^ = ( 0 ,Uoi:).Then 
the execution of si proceeds as follows. 

(while<„,^) (e) {Si}, mifc_i (loopc'='\ ( 7 ij,_ J) 
->(while(„j) (( 0 , u„|:)) {Si}, (loop^''"^, )) 

by the EEval’ rule 

-^(while(„j) ( 0 ) {Si}, mi^_^ (loopc'””^, ( 7 ij^_ J) 
by the E-Oflowl or E-Oflow 2 rule 
-^(skip, mi^_^ (loopc''”^ [ 0 /ni], cri^_ J) 
by the Wh-F rule. 

Similarly, the execution of 82 proceeds to 

(skip, m 2 fc_i(loopc''”^[ 0 /n 2 ],( 72 fc_J).Therefore, CT2 = cr2fc_i, 
a'l = ( 7 ij,_,^. By the definition of imported variables, x G 
Imp(x). In conclusion, <72(2^) = '2'2j,_^(x) = <xif._i(x) = 
a'i(x). 

□ 

Lemma 5.3. If two statement sequences Si and S 2 satisfy the proof 
rule of terminating computation of a variable x equivalently, then 
Si and S 2 have same imported variables relative to x: (Si =f 
S 2 ) ^ (/rap(Si,{x}) = Imp(S 2 ,{x})). 


Proof. By induction on size(Si)+size(S2), the sum of the program 
size of Si and S2. 

Base case. 

Si and S2 are simple statement. Then the proof is a case analysis 
according to the cases in the definition of the proof rule of compu¬ 
tation equivalently for simple statements. 

1 . Si = S2 

By the definition of imported variables, same statement have 
same imported variables relative to same x. 

2 . Si 7^ S2 

There are two further cases: 

• Si = “input idi”, S2 = “input id2” and x ^ {idi,id2}. 

When X = idj, by the definition of imported variables, 
Imp(Si, {id/}) = Imp(S2, {id/}) = {id/}. When x = 
id/o, by the definition of imported variables, Imp(Si, {idjo}) = 
Imp(S2, {idio}) = {idi,idio}. 

When X ^ {id/, id/o}, by the definition of imported vari¬ 
ables, Imp(Si, {x}) = Imp(S2, {x}) = {x}. 

• the above cases do not hold and x ^ Def(Si) U Def(S2). 

By the definition of imported variables, Imp(Si, {x}) = 
Imp(S2, {x}) = {x}. 

Induction Step. 

The hypothesis IH is that the lemma holds when size(Si) + 
size(S2) = A > 2. 

Then we show the lemma holds when size(Si) -|-size(S2) = A-|- 1 . 

The proof is a case analysis based on the cases in the definition of 
the proof rule of computation equivalently for statement sequence. 

Si S2: 

1. Si and S2 are one statement such that one of the following 
holds: 

(a) Si and S2 are If statement that define the variable x: 

51 = “If (e)then{S{}else{S/}”, S2 = “If (e) then {S^} 
else {S2 }” such that all of the following hold: 

• X G Def(Si) n Def(S2); 

• S{ S^; 

• si =i si-. 

By the hypothesis IH, the imported variables in S} and 

52 relative to x are same, Imp(Si, {x}) = Imp(S2, {x}). 
Similarly, Imp(S/,{x}) = Imp(S|,{x}). By the defi¬ 
nition of imported variables, Imp(Si,{x}) = Use(e) U 
Imp(S{, {x}) U Imp(Sf, {x}). Similarly, Imp(S2, {x}) 

= Use(e)Ulmp(S2, {x})Ulmp(S2 , {x}). Then, the lemma 
holds. 

(b) Si and S2 are while statement that define the variable x: 

Si = “while(„,>(e) {S{'}”,S2 = “while(„,>(e) {S^” 
such that both of the following hold: 

• X G Def(Si) n Def(S2); 

• My G Imp(Si, {x}) U Imp(S2, {x}), S" =® S'f-, 

By the definition of imported variables, Imp(Si, {x}) = 

Ui>o Imp(Si *, {x} U Use(e)). Similarly, Imp(S2, {x}) = 

Imp(S2 *, {x}UUse(e)). Then, we show thatImp(Si *, {x} U 

Use(e)) = Imp(S2 *, {x} U Use(e)) by induction on i. 

Base case. 

By our assumption of the notation S^, = skip, S2 ° = 

skip. 

Then, Imp(Si {x}UUse(e)) = {x}UUse(e), Imp(S2 {x}U 
Use(e)) = {x} U Use(e). 

Hence, Imp(Si °, {x}UUse(e)) =Imp(S2 {x}UUse(e)). 
Induction step. 
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The hypothesis IH 2 is that Imp( 5 'i *, {a;} U Use(e)) = 
Imp( 5'2 *, {a;} U Use(e)) for i > 0 . 

Then we show that Imp(S'j , {a:}UUse(e)) =Imp(S'2 , {a:}U 
Use(e)). 

Imp(S'j , {a:} U Use(e)) 

= Imp( 5 'i , Imp(S'i {a;} U Use(e))) ( 1 ) by corollarv lC.il 
Imp( 5'2 , {a;} U Use(e)) 

= Imp(S'2 , Imp(S'2 *, {a;} U Use(e))) ( 2 ) by corollarv lC.il 

Imp(S'i *, {a;} U Use(e)) = Imp(S'2 *, {a;} U Use(e)) 
by the hypothesis IH 2 
Imp(S'i , Imp(S'i *, {a;} U Use(e))) 

= Imp(S'2 , Imp(S'2 {a;} U Use(e))) 
by the hypothesis IH 
Imp(S'j , {a;} U Use(e)) 

= Imp(S2 , {x} U Use(e)) by ( 1 ),( 2 ) 

Therefore, Imp(Sj^ , {a;}UUse(e)) =Imp(S'2 , {a;}U 
Use(e)). 

In conclusion, Imp(Si, {a;}) = Imp(S'2, {a;}). The lemma 
holds. 

(c) S\ and S2 do not define the variable x\ x Def(S'i) U 
Def( 5 ' 2 ). 

By the definition of imported variable, the imported vari¬ 
ables in S\ and S2 relative to x is x, Imp(S'i, {a;}) = 
Imp(S'2, {a;}) = {a;}. The lemma holds. 

2 . S\ and S2 are not both one statement such that one of the 
following holds: 

(a) Last statements both define the variable x such that all of 
the following hold: 

• Vt/ G Imp(si, {a;}) U Imp(s2, {a;}), S[ =® S'2; 

• X £ Def(si) n Def(s2); 

• Si =f S2; 

By the hypothesis IH, we have Imp(si, {a:}) = Imp(s2, {a;}) = 
Imp(A). Then, by the hypothesis IH again, we have that 
Vy € Imp(A) = Imp(si, {a:}) = Imp(s2, {a;}), Imp(Sj, {j/}) 

= Imp(S'2, {?/}). By taking the union of all Vy G Imp(A), 
Imp( 5 j, {y}) andImp(S'2, {j/}), by the Lemma lC^ Imnf S\. 
Imp(A)) = Imp(S2,Imp(A)). By the definition of im¬ 
ported variables, 

Imp(S'i, {a;}) = Imp(S'J, Imp(si, {a;})), Imp(S2, {a;}) = 
Imp(S'2, Imp(s2, {a:})). Therefore, the lemma holds. 

(b) One last statement does not define the variable x\ w.l.o.g., 

[xi Def(si) A (S( S2)); 

By the definition of imported variables, we have Imp(si, {a:}) 

= {a:}. By the hypothesis IH,Imp(S'J, {x}) = Imp( 52 ,{x}) 
Therefore, by the definition of imported variables, Imp( 5 'i, {x}) 

= Imp(Sj,Imp(si, {x})) = Imp(S'J, {x}) = Imp(S'2, {x}). 

(c) There are statements moving in/out of If statement: 

Si = “If (e) then {Sj} else {S/}”, S2 = “If (e) then {S2} 
else {S2 }” such that none of the above cases hold and all 
of the following hold: 

. Vt/G Use(e),Sj S^; 

^ c>/, Qt _ S Qf , at. 

• *^15 *^1 =x *^2? 

• 51 ; Sf =f S'2; si', 

• X G Def(si) n Def(s2); 

We show all of the following hold. 

i. Imp(S'J,Use(e)) = Imp(S'2,Use(e)). 

By the hypothesis IH and the assumption that \/y G 
Use(e), S'l =y S'2. Then, by Lemma 
Imp^S'J, Use(e)) = Imp(S'2, Use(e)). 


ii. Imp(S'J,Imp(S'5,{x})) = Imp(S'^,Imp(S'^, {x})). 
Because size(“If(e) then {S'l} else {S'/}”) = 1 + 

size(St) -I- size(S/), then 

size(Si; S}) -I- size(S 2 ; S 2 ) < k. By the hypothesis IH, 
Imp(S{;S{,{x}) = Imp(S 2 ; Si (xj). 

Besides, by Lemma ICT] 

Imp(S{,Imp(S{, {x})) = Imp(S{;S{,{x}) 

= Imp(Si Si {x}) = Imp(Si Imp(Si {x})). 
hi. Imp(S{,Imp(S/,{x})) = Imp(Si Imp(S^, {x})). 

By similar argument in the case that 
Imp(S{,Imp(S{, {x})) = Imp(SiImp(Si {x})). 
Then, by combining things together, 

Imp(Si,{x}) 

= Imp(S{,Imp(si, {x})) 

by the definition of imported variables 
= Imp(S{, Imp(Si (xj) U Imp(S/, (xj) U Use(e)) 
by the definition of imported variables 
= Imp(S{,Imp(S{,{x})) Ulmp(S{,Imp(S/,{x})) 
Ulmp(Si, Use(e)) by Lemma lC^ 

= Imp(Silmp(Si{x})) Ulmp(Silmp(S|,{x})) 
Ulmp(Si Use(e)) by i, ii, hi 
= Imp(Si Imp(Si (xj) U Imp(S 2 , (xj) U Use(e)) 
by Lemma lC^ 

= Imp(Si Imp(Si {x}) U Imp(S 2 , (xj) U Use(e)) 
by the definition of imported variables 
= Imp(Silmp(s 2 , {x})) 

by the definition of imported variables 
= Imp(S 2 ,{x}). 

Hence, the lemma holds. 

□ 

5.3 Termination in the same way 

We proceed to propose a proof rule under which two statement 
sequences either both terminate or both do not terminate. We start 
by giving the definition of termination in the same way. Then 
we present the proof rule of termination in the same way. Our 
proof rule of termination in the same way allows updates such 
as statement duplication or reordering, loop fission or fusion and 
additional terminating statements. We prove that the proof rule 
ensures terminating in the same way by induction on the program 
size of the two programs in the proof rule. We also list auxiliary 
lemmas required by the proof of termination in the same way. 

Definition 14. (Termination in the same way) Two statement 
sequences S\ and S 2 terminate in the same way when started in 
states mi and m 2 respectively, written (S'l, mi) =h (S 2 , m 2 ), ijf 
one of the following holds: 

1. (Si, mi) A {skip,m'i) and (S 2 ,m 2 ) A (skip,m' 2 ); 

2. Vi > 0, (Si, mi) A (Sj,mi) and (S 2 ,m 2 ) A (S|,m|) 
where S} skip, S 2 skip. 

5.3.1 Proof rule for termination in the same way 

We define proof rules under which two statement sequences Si and 
S 2 terminate in the same way. We summarize the cause of non¬ 
terminating execution and then give the proof rule. 

We consider two causes of nonterminating executions: crash 
and infinite iterations of loop statements. As to crash [? ], we con¬ 
sider four common causes based on our language: expression eval¬ 
uation exceptions, the lack of input value, input/assignment value 
type mismatch and array index out of bound. In essence, the causes 
of nontermination are partly due to the values of some particular 
variables during executions. We capture variables affecting each 
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source of nontermination; loop deciding variables LVar(S') are vari¬ 
ables affecting the evaluation of a loop statements in the state¬ 
ment sequence S, crash deciding variables CVar(S) are variables 
whose values decide if a crash occurs in S. We list the definitions 
of LVar(S') and CVar(5') in Definition 1151 and 1161 Definition 1171 
summarizes the variables whose values decide if one program ter¬ 
minates. 

Definition 15. (Loop deciding variables) The loop deciding vari¬ 
ables of a statement sequence S, written LVar(S), are defined as 
follows: 

1. LVar{S) — 0 if$s = “whileie) {S''}” and s G S; 

2. LVar{“If{e) then {St} else {Sf}’’) = Use{e) U LVar(St) U 
LVar(Sf) i/“wMe(e){S'}” G S; 

3. LVar{“while{e){S'y’) = lmp{S, Use{e) U LVar(S')); 

4. For k > 0, LVar{sr,...-,Sk-,Sk+i) = LVar{si-,Sk) U 
Imp{si\Sk,LVar{sk+i)); 

Definition 16. (Crash deciding variables) The crash deciding 
variables of a statement sequence S, written CVar{S), are defined 
as follows: 

1. CVar{skip) = 0; 

2. CVar{lval := e) = Idxilval) U Use{e) if (F h Ival : 
Int) A (r h e : Long); 

3. CVar{lval := e) = ldx{lval)UErr{e) iffT h Ival : InfAfT h 
e : Long) does not hold; 

4. CVar(input id) = {id/}; 

5. CVar{output e) = Err{e); 

6. CVar{“If (e) then [St] else [Sf}’') = Err{e), if CVar{St) 

U CVar{Sf) = 0; 

7. CVar{“lf {e) then {St} else {Sf}”) = Usefe) U CVar{St) 

U CVar{Sf), ifCVar{St) U CVar{Sf) 7 ^ 0; 

8. CVar{“while;.a){fi){S'}”) = Impy‘while(ri)ie){S'}”, Use{e) LI 
CVar{S')); 

9. For k > 0, CVar{si; s^+i) = CVar(si; Sk) 

Ulmp{si;Sk, CVar{sk-fi)); 

Definition 17. (Termination deciding variables) The termination 
deciding variables of statement sequence S are CVar{S)yjLVar{S), 
written TVar{S). 

Definition 18. (Base cases of the proof rule of termination in 
the same way) Two simple statements si and S 2 satisfy the proof 
rule of termination in the same way, written si S2, iff one of 
the following holds: 

1. Si and S 2 are same, si = S 2 ; 

2 . Si and S 2 are input statement with same type variable: si = 
“input idi”, S2 = “input id 2 ” where (Fsj h idi : t) A (Fsj b 
id 2 : t); 

3. Si = “output e” or “idi := e”,S 2 = “output e” or “id 2 '■= e” 
where both of the following hold: 

• There is no possible value mismatch in “idi := e”, 

-■(rsi b idi : Int) V “'(Fsj b e : Long) V (Fsi b e : Int). 

• There is no possible value mismatch in “id 2 := e”, 

-'(Faj b id 2 : Int) V “■(Fsj b e : Long) V (Fs 2 b e : Int). 

Definition 19. (proof rule of termination in the same way) Two 

statement sequences Si and S 2 satisfy the proof rule of termination 
in the same way, written Si S 2 , iff one of the following holds: 

1. Si and S 2 are both one statement and one of the following 
holds. 

(a) Si and S 2 are simple statements: si =H S 2 ; 

(b) Si = “If(e) then {S{} else {S/}”, S 2 = “If(e) then {S 2 } 
else {Sj } ” and one of the following holds: 


i. Si,S(, S2, S| are all sequences of “skip”; 
a. At least one of S\, S{, S2, S| is not a sequence of 
“skip" such that: (S{ S2) A (S/ S{); 

(c) Si = “while^ni){e){Si}”, S 2 = “while(^„^~^{e){S2}” and 
both of the following hold: 

^ qU _ S oH . 

• *^1 =H ^2 > 

• S” and S'f have equivalent computation ofTVar{Si) U 

TVar{S2); 

2. Si and S 2 are not both one statement and one of the following 
holds: 

(a) Si = S}; Si and 82 — 82’, S2 and all of the following hold: 

• S} =% 8 ' 2 ; 

• Si and 82 have equivalent computation of TVar{si) U 
TVar{s2); 

• Si =fj S 2 where si and S2 are not “skip"; 

(b) One last statement is “skip”: 

((Si = S{; “skip”)A{8[ S 2 )) V ((S 2 = S^; “skip”)A 

(Si =i 8'2)). 

(c) One last statement is a “duplicate ” statement and one of the 
following holds: 

i. Si = S}; s}; S”; si and all of the following hold: 

• S}; s'l; Si =f[ 82; 

• (s'l si) A (si “skip”); 

• De/(s'i; Si) n TVar{si) = 0; 

a. 82 = 82’, S2; 82', S2 and all of the following hold: 

• Si =1 8'2’,s'2’,8'f; 

• (s2 =H S2) A (s2 7b “skip”); 

• De/(s 2 ; 82) n TVar{s2) = 0; 

(d) Si = S}; si; s'l and 82 = 82', S2; S2 where si and S2 are 
reordered and all of the following hold: 

• 8[ =% 8'2; 

• Si and 82 have equivalent computation ofTVar(si ; s'i)U 
TVar{s2; S2). 

• Si =fj S2,' 

• s'l =1 S2; 

• De/(si) n TVar{s[) = 0; 

• De/(s2) n TVar{s'2) = 0; 

5.3.2 Soundness of the proof rule for termination in the same 
way 

We show that two statement sequences satisfy the proof rules of 
termination in the same way, and their initial states agree on the 
values of their termination deciding variables, then they either both 
terminate or both do not terminate. 

Theorem 3. If two simple statements si and S2 satisfy the proof 
rule of termination in the same way, si =// S2, and their initial 
states mi(fi,(Ji) and m2(f2,cr2) with crash flags not set, fi = 
(2 = 0, and whose value stores agree on values of the termination 
deciding variables of si and S2, Vi G TVar{si) U TVar{s2) '. 
(Ti(a:) = (72 (1), when executions of s\ and S2 start in states mi 
and m2 respectively, then si and S2 terminate in the same way 
when started in states mi and m2 respectively: (si,mi) =h 
(S2,m2). 

Proof. The proof is a case analysis of those cases in the definition 
of Si =// S 2 . Because si is a simple statement and si’s execution 
is without function call, we only care the crash variables of si in 
the termination deciding variables of si, CVar(si). Similarly, we 
only care CVar(s 2 ). 
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First Si and S 2 are same: si = S 2 ; 

We show the theorem by induction on abstract syntax of si and 
S2- 

1. Si = S 2 = skip. 

By definition of termination in the same way, both si and 
S 2 terminate. The theorem holds. 

2. Si = S 2 = ^‘Ival := e”. 

There are further cases regarding what Ival is. 

(a) Ival = id. 

By definition, CVar(si) = CVar(s 2 ) = Err(e) or 
Use(e) based on if there is possible value mismatch 
(e.g., assigning value defined only in type Long to a 
variable of type Int). There are two subcases. 

• Left value id is of type Int and expression e is of 
type Long but not type Int, {V id : Int) A (T h e : 
Long) A -i(r h e : Int). 

By definition, CVar(si) = CVar(s 2 ) = Use(e). 

By assumption, Vx € Use(e),CTi(x) = o' 2 (x). By 
Lemma fD.!! the expression evaluates to the same 
value w.r.t two pairs of value stores cri and a 2 re¬ 
spectively, 

■ Both evaluations of expression lead to crash, 
f[el|cri = £^[e|cr 2 = (error, Uof). 

Then the execution of si is as follows: 

(si,mi) 

= {id := e, mi(ai)) 

-^(id ~ (error, *), mi(ai)) by rule EEvaT 
—>-(id := 0,mi(l/f)) by rule ECrash. 

A(fd := 0, mi(l/f)) for any i > 0 by rule Crash. 
Similarly, S 2 does not terminate. The theorem 
holds. 

■ Both evaluations of expression lead to no crash, 
Sfe-hi = ^¥1^2 = (v,v,f). 

Then there are cases regarding if value mismatch 
occurs. 

^ The value v is only defined in type Long, (T h 
V : Long) A -'(T h v : Int). 

The execution of si is as follows: 

(si,mi) 

= {id := e, mi(ai)) 

-^{id := {v, Vpf),mi{ai)) by rule EEval 

—>{id := V, mi((Ji)) by rule EOfiow-1 or EOfiow-2. 

-^{id := V, mi(l/f)) by rule Assign-Err. 

A(fd := V, mi(l/f)) for any i > 0 by rule Crash. 
Similarly, S 2 does not terminate. The theorem 
holds. 

y/ The value v is defined in type Int, T h w : Int. 
Assuming that the variable id is a global one, the 
execution of si is as follows: 

(si,mi) 

= e,mi(ai)) 

= (v, Uof), tni(o'i)) by rule EEval 
= V, mi((Ji)) by rule EOfiow-1 or EOfiow-2. 
—^(skip, mi{(Ji{a\[v/i(l\))) by rule Assign. 
Similarly, S 2 terminate. The theorem holds. 

When the variable id is a local variable, by similar 
argument for the global variable, we can show that 
Si and S 2 terminate. Then the theorem holds. 

• It is not the case that left value id is of type Int and 
the expression e is of type Long only, 

^((T h id : Int)A(r h e : Long)A^(r h e : Int)). 
There are two cases based on if there is crash in 
evaluation of expression e. 


y/ Both evaluations of expression lead to crash, 
f|e|o-i = f|e|cr 2 = (error, Uof). 

By the same argument in case where left value id is 
of type Int and the expression e is of type Long only, 
this theorem holds. 

y/ Both evaluations of expression lead to no crash, 
^■[eFi = ^¥1^2 = (w,Wof)- 
By the same argument in subcase of no value mis¬ 
match in case where left value id is of type Int and 
the expression e is of type Long only, this theorem 
holds. 

(b) Ival = id[n]. 

There are two subcases based on if n is within the array 
bound of id. By our assumption, array variable id is of 
the same bound in two programs. W.l.o.g., we assume 
id is local variable. 

i. n is out of bound of array variable id, {{id,n) 1 —^ 
vi) ^ (Ti and {{id,n) i->- V 2 ) ^ 0 - 2 ; 

Then the execution of si continues as follows: 
(si,mi) 

= {id[n] :=e,mi(ai)) 

-^{id[n] := e,mi(l/f) by rule Arr-3 

A(id[n] := e,mi(l/f)) by rule Crash. 

Similarly, S 2 does not terminate. The theorem holds. 

ii. n is within the bound of array variable id, {{id, n) 1 —>■ 
■ui) £ (71 and {{id,n) i->- V 2 ) £ ( 72 ; 

There are cases of CVar(si) and CVar(s 2 ) based on 
if there is possible value mismatch exception in si 
and S 2 . 

• Left value id[n] is of type Int and expression e is of 
type Long but not type Int, (T h id[n] : Int) A (T h 
e : Long) A -'(T h e : Int). 

By definition, CVar(si) = CVar(s 2 ) = Use(e). 
By assumption, Vx £ Use(e), (7i(x) = (72(x). By 
Lemma EH the expression evaluates to the same 
value w.r.t two value stores cti and (72 respectively, 

■ Both evaluations of expression lead to crash, 
f |el|(7i = f|[e |'^2 = (error, Xof). 

Then the execution of si is as follows: 

(si,mi) 

= {id[n] := e,mi((7i)) 

-^{id[n] (error, *), m,i((7i)) by rule EEvaT 
—^{id[n] ■.= 0, mi(l/f)) by rule ECrash. 

A(id[n] := 0, mi(l/f)) for any i > 0 
by rule Crash. 

Similarly, S 2 does not terminate. The theorem 
holds. 

■ Both evaluations of expression lead to no crash, 
f [el( 7 i = S¥h2 = {v,v„f). 

Then there are cases regarding if value mismatch 
occurs. 

y/ The value v is only defined in type Long, (T h 
V : Long) A -'(T h v : Int). 

The execution of si is as follows: 

(si,mi) 

= {id[n] := e,mi{ai)) 

-^{id[n] := {v, Vof), mi{ai)) by rule EEvaT 
-^{id[n] := v,mi{ai)) 

by rule EOfiow-1 or EOflow-2. 

-^{id[n] := v, mi(l/f)) by rule Assign-Err. 
A(id[n] := v, mi(l/f)) for any i > 0 
by rule Crash. 
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Similarly, S 2 does not terminate. The theorem 
holds. 

The value v is defined in type Int, T h n : Int. 
The execution of si is as follows: 

(si, mi) 

= {id[n] ■.= e,mi(ai)) 

-^{id[n] := (n, Uof), mi(o'i)) by rule EEvaT 
-^{id[n] ■.= v,mi(ai)) 

by rule EOflow-1 or EOflow-2. 

->-(skip, [v/(id, n)]))) 

by rule Assign-A. 

Similarly, S 2 terminate. The theorem holds. 

When the variable id is a global variable, by simi¬ 
lar argument for the global variable, we can show 
that Si and S 2 terminate. Then the theorem holds. 

• It is not the case that left value id is of type Int and 
the expression e is of type Long only, 

^((T h id : Int) A (T h e : Long) A ^(T h e : 
Int)). 

There are two cases based on if there is crash in 
evaluation of expression e. 

■ Both evaluations of expression lead to crash, 
f |el|ai = f|[e |'^2 = (error, Uof). 

By the same argument in case where left value id 
is of type Int and the expression e is of type Long 
only, this theorem holds. 

■ Both evaluations of expression lead to no crash, 
flejai = £leja2 = (v,n„f). 

By the same argument in subcase of no value 
mismatch in case where left value id is of type 
Int and the expression e is of type Long only, this 
theorem holds. 

If array variable id is a global variable, by similar argu¬ 
ment above, the theorem holds. 

(c) Ival = idi [id 2 ]. 

By definition, Idx(si) = Idx(s 2 ) = {*^ 2 } L CVar(si) = 
CVar(s 2 ). By assumption, ai{id 2 ) = 02 {id 2 ) = n. By 
the same argument in the case where Ival = id[n], the 
theorem holds. 

3. Si = S 2 = “input id”, 

By definition, CVar(si) = CVar(s 2 ) = {idi}. By assump¬ 
tion ai{idi) — a 2 {idi). There are cases regarding if input 
sequence is empty or not. 

(a) There is empty input sequence, ai{idi) = cr 2 {idi) = 

0 . 

Then the execution of si continues as follows: 

(si, mi) 

= (input id, mi(ai)) 

—^(inputid, mi(l/f)) by rule In-7 

A(input id,mi(l/f)) by rule Crash. 

Similarly, S 2 does not terminate. The theorem holds. 

(b) There is nonempty input sequence, CTi(id/) = CT 2 (id/) 7 ^ 

0 . 

There are cases regarding if type of the variable id is 
Long or not. 

i. id is of type Long, T h id : Long; 

Assuming id is a local variable, then the execution 
of Si continues as follows: 

(si, mi) 

= (inputid, mi(CTi)) 
-^{skip,mi{ai[vio/id,t\{ai{idi))/idi, 

“cri(id/o) • Lio”/*^ro])) by rule In-3. 

Similarly, S 2 terminates. The theorem holds. 


When the variable id is a global variable, by similar 
argument, the theorem holds, 
ii. id is of type Int or enumeration, T h id : Int or 
enum id'; 

There are cases regarding if the head of input se¬ 
quence can be transformed to type of id. Let Via = 
hd(ai (id/)). 

• id is of type Int. 

If Via is not of type Int, T h Vio : Long and ^(T h 
Vio : Int), then the execution of si continues as 
follows: 

(si,mi) 

= (inputid, mi (cri)) 

—^(inputid, mi(1/f)) by Rule In-4. 

A(inputid, mi(l/f)) by Rule crash. 

Similarly, S 2 does not terminate. The theorem 
holds. 

If Via is of type Int, T \- Vio '■ Long and T h 
Vio : Int, assuming id is a local variable, then the 
execution of si continues as follows: 

(si,mi) 

= (inputid, mi (cri)) 

—>-(skip,mi(cri[t;io/id, tl(cri(id/))/id/, 
“CTi(id/o) ■ Via"/id 10 ])) t>y Rule In-8. 
Similarly, S 2 terminates. The theorem holds. 

When id is a global variable, by similar argument, 
the theorem holds. 

• If id is of type enum id' — {ii,..., Ik}- 

If {via < 1) V {via > k), then the execution of si 
continues as follows: 

(si, mi) 

= (inputid, mi(cTi)) 

—^(inputid, mi(l/f)) by Rule In-6. 

A(inputid, mi(l/f)) by Rule crash. 

Similarly, S 2 does not terminate. The theorem 
holds. When id is a global variable, by similar ar¬ 
gument, the theorem holds. 

If 1 < Via < k, assuming id is a local variable, 
then the execution of si continues as follows: 

(si, mi) 

= (inputid, mi(ai)) 

->-(skip, mi(cTi /id, tl((Ti(id/))/id/, 
“cri(id/o) • v^^”/idio])) by Rule In-5. 
Similarly, S 2 terminates. The theorem holds. When 
id is a global variable, by similar argument, the 
theorem holds. 

(c) Si = S 2 = “output e” ; 

There are two cases based on if evaluation of expres¬ 
sion e crashes. By definition, CVar(si) = CVar(s 2 ) = 
Err(e). By assumption, Vx G Err(e),< 71 ( 2 :) = (72(x). 
By Lemma lP)^ evaluation of the expression e w.r.t two 
value stores cti and <72 either both crash or both do not 
crash. 

i. There is crash in evaluation of the expression e w.r.t 
two value stores <j\ and < 72 , ^|[e|(7i = (error, iioj:) 
and£'|[e|(72 = (error, Uof). 

The execution of si continues as follows: 

(si,mi) 

= (output e, mi ((7i)) 

—^■(output (error, v}^), mi(l/f)) by Rule EEvaT 
—>'(outputO, mi(l/f)) by Rule ECrash. 
A(outputO, mi(l/f)) by Rule crash. 
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Similarly, S 2 does not terminate. The theorem holds, 
ii. There is no crash in evaluation of the expression e 
w.r.t two value stores and (T2, fjelfri = (ui, ) 

and£:|[e|cr2 = («2,'Uof). 

According to rule Out-1 and Out-2, there is no ex¬ 
ception in transformation of different typed output 
value. We therefore only show the execution for out¬ 
put value of Int type. The execution of si continues 
as follows: 

(sr, mi) 

= (outpute, mi((Ti)) 

—^(output (t;i, ttof), mi(l/f)) by Rule EEvaT 
->-(output m, mi(i;Jf/of)) 

by Rule EOflow-1 or EOflow-2. 

->-(skip,mi(cri[“(T(idio) ■ vi’/idio])) 

by Rule Out-1. 

Similarly, S2 terminates. Theorem holds. 

Second si and S 2 are input statement with same type variable: 

Si = “input idi”, S2 = “input 1^2” where (T^j h id\ : 

t) A (Tsj h id2 : f); 

The theorem holds by similar argument for the case si = S2 = 
input id. 

Third si = “outpute” or “idi := e”, S2 = “outpute” or “id 2 := 
e” where both of the following hold: 

• There is no possible value mismatch in “idi := e”, 

-■(rsi h idi : Int) V ^(Tsj h e : Long) V (Tsj h e : Int). 

• There is no possible value mismatch in “id2 := e”, 

^(Tsj h id 2 : Int) V ^(Ts^ h e : Long) V (Tg^ L e : Int). 

We show that the evaluations of the expression e w.r.t the value 
stores (Ti and 02 either both raise an exception or both do not. 
By the definition of crash variables, the crash variables of si 
are those obtained by the function Err(e), CVar(si) = Err(e). 
Similarly, the termination deciding variables of S2 are Err(e). 
By assumption, the initial value stores cri and (T2 agree on 
values of those in CVar(si) and CVar(s2), Vx € Err(e) = 
(CVar(si) UCVar(s2)) : ai(x) = a^ix). By Lemma rD.2l the 
evaluations of expression e w.r.t two value stores, cti and (T2, 
either both raise an exception or both do not raise an exception. 

1. The evaluations of the expression e raise an exception w.r.t 
two value stores (Ti and (72, f^Jelai = (error, t;,}^), f'Je] (72 = 
(error, tt^j): 

We show the execution of si proceeds to an configuration 
where the crash flag is set and then does not terminate. 

When Si = “outpute”, the execution of “outpute” pro¬ 
ceeds as follows. 

(output e, mi((7i)) 

—^■(output (error, vl^), mi((7i)) by rule EEvaT 
—>■(output 0,mi(l/f)) by rule ECrash 

A(output 0, mi(l/f)) for any i > 0, by rule Crash. 

When Si = “idi := e”, the execution of “idi := e” 
proceeds as follows. 

{idi := e,mi((7i)) 

-^{idi ~ (error, uj^), mi((Ti)) by rule EEvaT 
-^{idi := 0, mi(l/f)) by rule ECrash 

A(idi := 0, mi(l/f)) for any i > 0, by rule Crash. 
Similarly, the execution of S2 proceeds to a configuration 
where the crash flag is set. Then, by the crash rule, the 
execution of S2 does not terminate. The theorem]^ holds. 

2. the evaluations of expression e do not raise an exception 
w.r.ttwovaluestores, (71 andCT2,£^^|e|(7i = {vi,vl^),£'\e\(J 2 

We show the execution of si terminates. 


When Si = output (e), the execution of output (e) proceeds 
as follows. W.l.o.g, we assume expression e is of type Int. 
This is allowed by the condition that it does not hold that 
(Tsi L e : Long) A -'(Tsi L e : Int). 

(output e, mi((7i)) 

—>■ (output (ui, Vpf), mi(ai)) by rule EEvaT 
-^•(output wi, mi(t;^f/of, (7i)) 
by rule E-Oflowl or E-Oflow2 
—>'(skip, mi{ai[“ai{idio) ■ vi”/idio])) by rule Out. 
When Si = “idi ■= e”, by assumption, the expression e is 
of type Int, there is no possible value mismatch in execution 
of “idi := e” because the only possible value mismatch 
occurs when assigning a value of type Long but not Int to 
a variable of type Int. By the condition ^(Ts^ L idi '■ 
Int)V-'(rsj^ h e : Long)v(rs2 h e : Int), when expression 
e is of type Long, then the variable idi is not of type Int. In 
summary, there is no value mismatch. 

The execution of “idi ■= e” proceeds as follows. 

{idi ■■= e,mi((7i)) 

-^{idi := (i;i,ii^(),mi((7i)) by rule EEvaT 
-^{idi := vi,mi{vl^/of,ai)) by rule EEvaT 
—^(skip, mi ((71 [ui/idi])) by the rule Assign. 

When idi is a variable of enumeration or Long type, by 
similar argument, the theorem still holds. 

Similarly, the execution of S2 terminates when started in the 
state m2 ((72). Theorem [3] holds. 

□ 

Theorem 4. If two statement sequences Si and S2 satisfy the 
proof rule of termination in the same way, Si =% S2, and their 
respective initial states mi (f 1, ( 7 i) and m2 ((2, <72) with crash flags 
not set, fi ~ {2 ~ 0 , and whose value stores agree on values of the 
termination deciding variables of Si and S2, Vx € TVar{Si) U 
TVar{S2) '■ (7i(x) = (J2{x), then Si and S2 terminate in the same 
way when started in states mi and m2 respectively: {Si, mi) =h 
{S 2, m2). 

Proof. The proof is by induction on size(S'i) -T size(S'2), the sum 
of program size of ^i and S2. 

Base case. Si and S2 are simple statement. By Theorem[3l Theo- 
rem|4]holds. 

Induction step. 

There are two hypotheses. The hypothesis IH is that Theorem |4] 
holds when size(Si) -T size(S2) = k >2. 

We show Theorem|4]holds when size (Si) -T size(S2) = fc + 1. 

The proof of Theorem|4]is a case analysis according to the cases 
in the definition of the proof rule of termination in the same way. 
Si =lt S2. 

1. Si and S2 are one statement and one of the following holds. 

(a) Si = ‘Tf(e) then {Sj} else {Sf}”, S2 = “If(e) then {S2} 
else {S|}” such that one of the following holds: 

i. Si, S/, S2, S| are all sequences of “skip”; 

We show that the evaluation of expression e w.r.t the 
value store cri and (T2 either both raise an exception or 
both do not. By the definition of crash/loop variables, 
CVar(S0 = CVar(S/) = 0, LVar(Si) = 0. By the 
definition of termination deciding variables, the termi¬ 
nation deciding variables of Si is the crash variables 
of Si, TVar(Si) = CVar(Si) = Err(e). By assump¬ 
tion, the value stores ai and (72 agree on the values 
of those in the crash variables of Si and S2, Vx € 
Err(e) = TVar(Si) = TVar(S2),(7i(x) = (72(x). By 
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the property of the expression meaning function £, the 
evaluation of predicate expression e of and S 2 w.r.t 
value store and 02 either both crash or both do not 
crash, (f|[e|cri = f [el|cr2 = error) V ((f [ejai / 
error) A (f’|[e|o'2 7^ error)). Then we show that The- 
orem| 4 ]holds in either of the two possibilities. 

A. ^|[e|CTi = f |el|cr2 = error. 

The execution of 5 i proceeds as follows: 

(If(e) then {S'*} else {S/}, mi((Ti)) 

—^(^(error) then {S}} else {S/}, mi{ai)) by rule EEval 
^(lf( 0 ) then {S*} else {S/}, mi(l/f, cti)) by rule ECrash 

A(lf(0) then {S{} else {S/}, mi(l/f, cri)) for any i > 0, 
by rule Crash. 

Similarly, the execution of S 2 started in the state 
m2 (<72) does not terminate. The theorem | 4 ] holds. 

B. (S|[e|(Ti / error) A (S|[e|a'2 yf error). 

W.l.o.g, S[eI|(Ti = ui / 0 , S|[e|cr2 = 0 . Then the 
execution of Si proceeds as follows. 

(If(e) then {S{} else {S/}, mi(cri)) 

—>■(11(111) then {Si} else {S/}, mi((Ti)) by rule EEval 
—>(S{, mi((Ti)) by rule If-T 
A(skip, m'l) by rule Skip. 

Similarly, the execution of S2 started in the state 
m2 (0-2) terminates. The theorem| 4 ]holds. 

At least one of S}, S/, S2, S| is not a sequence of 
“skip” and (S{ =% S^) A (S/ =% S()- 
W.l.o.g., S{ is not of “skip” only. We show that the 
evaluation of the expression e w.r.t the value stores (ti 
and (T2 either both raise an exception or both produce 
the same integer value. Then there is either some loop 
statement in S* or the crash variables of S} are not 0 or 
both. 

A. When there is some loop statement in S'}, then, by 
the definition of loop variables, the loop variables 
of Si include all variables used in the predicate ex¬ 
pression of Si, LVar(Si) = Use(e) U LVar(Si) U 
LVar(S/). 

B. When the crash variables of S* are not 0 , then, by 
the definition of crash variables, the crash variables 
of Si include all variables used in the predicate ex¬ 
pression of Si, CVar(Si) = Use(e) U CVar(S}) U 
CVar(Sf). 

In summary, all variables used in predicate expression 
of Si is a subset of termination deciding variables of 
Si, Use(e) C TVar(Si). By assumption, the value 
store (Ti and <72 agree on the values of those in the 
termination deciding variables of Si and S2. It follows, 
by the property of expression meaning function £, the 
evaluation of the predicate expression e of Si and S2 
produce the same value w.r.t the value store ai and (72, 

S|[e|( 7 i = f’|[e|o'2. Then either the evaluations of the 
predicate expression e of Si and S2 both crash w.r.t 
the value store ai and <72, or both evaluations produce 
the same integer value, (Slejcri = S|e ]|(72 = error) V 
(SJelCTi = f’|e ]|(72 = V ^ error). We show Theorem]?] 
holds in either of the two possibilities. 

A. S|[e|( 7 i = S|el |(72 = error. 

The execution of Si proceeds as follows: 

(If(e) then {S}} else {S/}, mi{ai)) 

—>(If(error) then {S}} else {S/}, mi{ai)) by rule EEval 
—>(lf( 0 ) then {S*} else {S/}, mi(l/f, cti)) by rule ECrash 


A(lf( 0 ) then {S{} else {S/}, mi(l/f, cri)) for any i > 
by rule Crash. 

Similarly, the execution of S2 started from state 
m2 ((72) does not terminate. The theorem]?] holds. 

B. S|el|( 7 i = S|el |(72 = v ^ error, w.l.o.g., w = 0 . 

Then the execution of Si proceeds as follows: 

(If(e) then {S}} else {S/}, mi(( 7 i)) 

—>■( 11 ( 0 ) then {S*} else {Sf }, mi(( 7 i)) by rule EEval 
—>(S/, mi(( 7 i)) by rule If-F. 

Similarly, after two steps of execution, S2 gets to the 
configuration (Sj, m 2 (( 72 )). 

We show that S( and S| terminate in the same way 
when started in the state mi{ai) and m2(<72) re¬ 
spectively. Because S( S|, by Corollary 15.11 
the termination deciding variables of S( and 
are same, TVar(S/) = TVar(S|). By the defini¬ 
tion of crash/loop variables, CVaT(S{) C CVar(Si) 
and LVar(S/) C LVar(Si). Hence, the termina¬ 
tion deciding variables of S( are a subset of the 
termination deciding variables of Si, TVar(S/) C 
TVar(Si). Similarly, TVar(S2) C TVar(S2). There¬ 
fore, the value store ai and a2 agree on the val¬ 
ues of those in the termination deciding variables 
of S{ and S|, Vy G TVar(S() U TVar(S|) : 
cri(y) — (72 (y). In addition, the sum of program size 
of S{ and S| is less than k because program size 
of each of S* and S} is great than or equal to one, 
size ( 5 /) + size(S2 ) < k. As is shown, crash flags 
are not set. Therefore, by the hypothesis IH, S( and 
S| terminate in the same way when started in state 
mi(fi,( 7 i) and m2(f2,o-2), (S/,mi(fi,ai)) =h 
(S2 , m2(f2, <72)). Hence, Theorem]?]holds. 

(b) Si = “while(„,)(e) {S{'}”, S2 = “while<„,>(e) {S^'}” 
such that both of the following hold: 

^ C«// _ S Qff. 

• *^1 =H ^2 ^ 

• Si and S2 have equivalent computation of TVar(Si) U 
TVar(S2); 

By Corollary 15.31 we show Si and S2 terminate in the 
same way when started from state mi(fi,m},ai) and 
m2({2, m^, (72) respectively. We need to show that all re¬ 
quired conditions are satisfied. 

• The crash flags are not set, fi = {2 = 0 . 

• The loop counter value of Si and S2 are zero: m} (ni) = 
ml{n2) — 0 . 

• The value stores ai and (72 agree on the values of those 
in the termination deciding variables of Si and S2, Va; € 
TVar(Si) nTVar(S2) : i 7 i(a;) = (72(0;). 

The three above conditions are from assumption. 

• Si and S2 have same set of termination deciding vari¬ 
ables, TVar( Si) = TVar(S2). 

By Corollary 15.11 

• The loop body S" of Si and S2 of S2 terminate in 
the same way when started in state msi (fsi, gsi ) and 
ms2 (fs21 <733) with crash flags not set and in which 
value stores agree on the values of those in the ter¬ 
mination deciding variables of Si and 82 '. ((Va; G 
TVar(S") U TVar(S2) : gs^{x) = <732(3;)) A (fs^ = 

fs2 = 0 )) ^ (Si ,msi(fsi,< 7 si)) =H (SAms 2 (fs 2 ,< 7 S 2 ))- 
By the definition of program size, size(Si) = size(Si)-|- 
l,size(S2) = size(S2 ) + l. Then, size(S}')-|-size(S2 ) < 
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k. Then, by the hypothesis IH, the loop body S" of Si 
and S2 of S2 terminate in the same way when started in 
state msj {o-Si) and (<^52) '''dh crash flags not set 
and whose value stores agree on values of the termina¬ 
tion deciding variables of S" and S2 . 

Then, by Corollary 15.31 Si and S2 terminate in the same 
way when started in the states mi {ml , ai) and m2 (ml, < 72 ) 
respectively. The theorem | 4 ] holds. 

2 . Si and S2 are not both one statement and one of the following 
holds: 

(a) Si = SJ; si, S2 = S2; S2 and all of the following hold: 

• Si =% Si; 

• Si and Si have equivalent computation of TVar(si) U 
TVar(s2); 

• Si =% S2 where si and S2 are not sequences of “skip”; 

By the hypothesis IH, we show that Si and Si terminate in 
the same way when started in the states mi (f 1, ai), m2 (f2, ( 72 ) 
respectively, (Si, mi(fi, cti)) =h (Si, m2(f2, (72)). We 
need to show all required conditions are satisfied. 

• Crash flags are not set, fi = (2 = 0 ; 

By assumption. 

• size(Sl) + size(Sl) < k. 

By the definition, size(si) > l,size(s2) > 1 . Hence 
size(Sl) + size(Sl) < k. 

• Value stores ai and 02 agree on values of the termina¬ 
tion deciding variables of Si and Si- 

Besides, by the definition of loop/crash variables, LVar(Sl) C 
LVar(Si) andCVar(Sl) C CVar(Si). Hence, TVar(Sl) C 
TVar(Si). Similarly, TVarlSl) C TVar(S2). Then, 
value stores ai and 02 agree on the values of those 
in the termination deciding variables of Si and Si, 

Va; G TVar(Sl) UTVar(Sl) : CTi(a;) = a2{x). 

Then, by the hypothesis IH, Si and Si terminate in the 
same way when started in the states mi(fi, ai), m2((2, (72) 
respectively, (Si, mi(fi, ai)) =h (Si, m2(f2, (72)). 

If the execution of Si and Si terminate when started in the 
states mi (f 1, ( 71 ) and m2 ((2, ( 72 ) respectively, we show that 
Si and S2 terminate in the same way. We prove that Si and 
Si equivalently compute the termination deciding variables 
of Si and S2 by Theorem| 2 ] 

• Crash flags are not set, fi = (2 = 0 ; 

By definition of terminating execution of Si and Si 
when started in states mi and m2 respectively. 

• The executions of Si and Si terminate when started in 
the states mi{ai) and m2((72). 

By assumption, (Sl,mi(CTi)) A (skip,mKal)) and 
(Sl,m 2 (( 72 )) A (skip,ml(CTl)). 

• Si and S2 have same termination deciding variables. 

By Corollary 15.II si and S2 have same termination de¬ 
ciding variables, TVar(si) = TVar(s2) = TVar(s). 

• Value stores cri and CT2 agree on the values of variables 
in Imp(Sl,TVar(s)) U Imp(Sl, TVar(s)). 

By the definition of loop/crash variables, Imp(Sl, LVar(si)) C 
LVar(Si) and Imp(Sl, CVar(si)) C CVar(Si). Hence, 
by Lemma Icl^ the imported variables in Sl relative to 
the termination deciding variables of si is a subset of the 
termination deciding variables of Si, Imp(Sl,TVar(s)) 

C TVar(Si). Similarly, Imp(Sl,TVar(s)) C TVar(S2). 

Thus, by assumption, the value stores ai and a2 agree 
on the values of the variables in Imp(Sl,TVar(s)) U 
Imp(Sl,TVar(s)). 

By Theorem| 2 l Va; G TVar(s) : cri(x) = ui{x). 


By Corollary |ET] (Sl;si, mi(( 7 i)) A (si, m'i(fi, ctI)) 
and (Sl; S 2 ,m 2 (( 72 )) A (s2, ml(f2, (rl)). Then, by the hy¬ 
pothesis IH, we show that si and S2 terminate in the same 
way when started in the states m'i{(j'i) and mKcrl). We 
show that all required conditions are satisfied, size(si) -|- 
size(s2) < fc because size(Si) > l,size(Sl) > 1 by the 
definition of program size. If si, S2 are loop statement, then, 
by the assumption of unique loop labels, si ^ Si,S2 ^ 

51. Then, by Corollary [O] the loop counter value of si 
and S2 is not redefined in the execution of SJ and Sl re¬ 
spectively. By the hypothesis IH, si and S2 terminate in 
the same way when started in the states m'i(fi,al) and 
"i 2 (f 2 ,( 7 l), {si,m'i{fi,a'i)) =H {S2,mi{f2,ai}). The 
theorem| 4 ]holds. 

(b) One last statement is “skip”: w.l.o.g., (s2 = “skip”) A 

{Sl Sl). 

We show that Si and Sl terminate in the same way when 
started in the states mi{ai) and m 2 (( 72 ) respectively by 
the hypothesis IH. By the definition of crash/loop variables, 

CVar(Sl) C CVar(S2), LVar(Sl) C LVar(S2). Then, by 
assumption, Vx G TVar(Sl) U TVar(Si) : (7i(x) = 
a 2 {x). Besides, size (S2) > 1 by the definition of program 
size. Then size (Si) -I- size (Sl) < k. By the hypothesis 
IH, Sl and Sl terminate in the same way when started 
in the states mi(fi, cti), m2(f2, (72), (Si, mi(fi, (7i)) =h 
( 5 l,m 2 (f 2 ,( 72 ))- 

When the execution of Si and Sl terminate when started in 
the states mi(ai) and m2 ((72) respectively, S2 terminates 
after the execution of Sl by the definition of terminating 
execution. 

(c) One last statement is a “duplicate” statement such that one 
of the following holds: 

W.l.o.g., S2 = Sl; sl; S2 ; S2 and all of the following hold: 

• Sl =i Sl;sl;Sl'; 

• ^2 =H ^2; 

• Def(sl;Sl')nTVar(s2) = 0 ; 

• S2 ^ “skip”; 

We show that Si and Si; si; S2 terminate in the same way 
when started in the states mi(fi, cri), 
m2((2, (72) respectively by the hypothesis IH. The proof is 
same as that in case a). 

We show that S2 terminates if the execution of Si; si; S2 
terminates. We need to prove that sl and S2 start in the states 
agreeing on the values of variables in TVar(s2). By assump¬ 
tion, Sl;sl;S2 terminates, (Sl; sl; Sl', m2(f2, (72)) A 
(skip, ml(f2, (7I)). Then, by CorollarylEH] (Sl; sl; Sl'; S2,m2(f2, (72)) 
—>■ (s2, ml(f2, (7I)). In addition, the execution of Sl and sl 
must terminate because the execution of Sl; sl; Sl' termi¬ 
nates, 

(Sl; sl; Sl'; S2, m2(f2, (72)) (sl; Sl'; S2, ml'(f2, (7I')) —^ 

(S2,ml(f2,(7l)). 

By assumptin, Def(sl;S2) n TVar(s2) = 0 . Then, by 
Corollarv lE. 2 l the value store cri' and cri agree on values of 
the termination deciding variables of S2, Vx G TVar(s2) : 

<X2{x) = ( 7 l(x). By Corollary 15 .II TVar(sl) = TVar(s2). 

Because the execution of sl terminates, then the execution 
of S2 terminates when started in the state ml((2, cri) by the 
hypothesis IH, (s2, ml(f2, cri)) A (skip, ml'). 

In addition, we show that there is no input statement in 
S2 by contradiction. Suppose there is input statement in 

52. By Lemma [ 5.111 idi G CVar(s2). Hence, the input 
sequence variable is in the termination deciding variables 
of S2, idi G TVar(s2). By Corollary 15.11 TVar(s2) = 
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TVar(s2)- Then, there must be one input statement in s'^- 
Otherwise, by Lemma lS^ the input sequence variable is not 
in the termination deciding variables of S2 • A contradiction 
against the result that idj G TVar(s2)- Since there is one 
input statement in S2, by Lemma [ 5.111 idi G Def(s2)- 
Thus, by defintion, idj G Def(s2; S2). Then, Def(s2; 

TVar(s2) 7^ 0 . A contradiction. Therefore, there is no input 
statement in S2. 

(d) S\ = Si; si; si; and S2 = Si; S2; si where si and S2 are 
reordered and all of the following hold: 

• S[ =f{ Si; 

• si and Si have equivalent computation of TVar(si; si)U 
TVar(s2; si). 

• Si =fj si; 

• si =H S2; 

• Def(si) nTVar(si) = 0 ; 

• Def(s2) n TVar(si) = 0 ; 

The proof is to show that if Si terminates when started in 
the state mi, the S2 terminates when started in the state 
m2, and vice versa. Due to the symmetric conditions, it 
is suffice to show one direction that, w.l.o.g., (Si, mi) —^ 

(skip, mi) ^ (S2,m2) A (skip, mi). 

We show that the execution of Si terminates by the hypoth¬ 
esis IH. We need to show that all required conditions are 
satisfied. 

• size(Si) -I- size(Si) < k. 

This is because size(si; si) > 1 , size(s2; si) > 1 . 

• Initial value stores cti and (J2 agree on values of the 
termination deciding variables of Si and Si, Vx G 
TVar(Sl) U TVar(Si) : ai{x) = a2{x). 

We show that TVar(Si) C TVar(Si). In the following, 
we prove that CVar(Si) C CVar(Si). 

CVar(Si) 

C CVar(Si; si) by the defintion of CVar(Si; si) 

C CVar(Si; si; si) by the defintion of CVar(Si; si; si) 
Similarly, LVar(Si) C LVar(Si). Hence, TVar(Si) C 
TVar(Si). Similarly, TVar(Si) C TVar(S2). By as¬ 
sumption, initial value stores cti and (J2 agree on values 
of the termination deciding variables of Si and Si. 

By the hypothesis IH, (Si,mi((Ti)) =h (Si, m2(cr2))- 
Because the execution of Si terminates, then Si termi¬ 
nates when started in the state mi (cti), (Si, mi (cti)) —> 

(skip,mi(CTi)). Therefore, Si termiantes when started in 
the state m2 (ct 2), (Si,m2(CT2)) A (skip, mi(CTi)). 

We show that after the execution of Si and Si, value stores 
agree on values of the termination deciding variables of 
si; si ands2; si,Vx G TVar(si; si)UTVar(s2; si),CTi(x) = 

CT2(x). We split the argument into two steps. 

i. We show that TVar(si; si) = TVar(s2; si). 

By CorollarvISTi TVarfsi 1 = TVar(si) andTVar(si) = 

TVar(s2). Then we show that TVar(si; si) = TVar(si)U 
TVar(si). To do that, we show that CVar(si;si) = 
CVar(si)UCVar(si). 

CVar(si;si) 

= CVar(si) U Imp(si, CVar(si)) by the defintion of CVar(si; s 
= CVar(si) U CVar(si) by Def(si) n TVar(si) = 0 and 
the defintion of Imp(-). 

Similarly, LVar(si;si) = LVar(si) U LVar(si). Thus, 

TVar(si; si) = TVar(si)UTVar(si). Similarly, TVar(s2; si) = 
TVar(s2) U TVar(si). In summary, TVar(si;si) = 

TVar(s2; si). 

ii. We show that Imp(Si, TVar(si; si)) C TVar(Si) and 


Imp(Si,TVar(s2;si)) C TVar(S2). 

W.l.o.g, we show that Imp(Si, TVar(si; si)) C TVar(Si). 
Specifically, we show Imp(Si, CVar(si; si)) C CVar(5i). 
CVar(si; si) 

= CVar(si) U Imp(si, CVar(si)) ( 1 ) 
by the defintion of CVar(si; si) 

Imp(S'i,CVar(si;si)) 

= Imp^Si, CVar(si) U Imp(si, CVar(si))) by ( 1 ) 

= Imp^S'i, CVar(si)) U Imp(S'i, Imp(si, CVar(si))) ( 2 ) 
by Lemma lC^ 

Imp(S'i,CVar(si)) 

C CVar(S'i; si) by the defintion of CVar(-) 

C CVar(S'i; si; si) by the defintion of CVar(-) 

Imp(S'i, Imp(si, CVar(si))) 

= Imp^S'i; si, CVar(si)) by Lemma|CT] 

C CVar(Si; si; si) by the defintion of CVar('). 

Imp(S'i, CVar(si)) U ImpiS'i, Imp(si, CVar(si))) 

C CVar(Si; si; si) by (3) and (4). 

In conclusion, ImpiS'i, CVar(si; si)) C CVar(S'i). 
Similarly, Imp(Si,LVar(si; si)) C LVar(S'i). Thus, 
Imp)^!, TVar(si; si)) C TVar(Si). Similarly, 
Imp(S'i,TVar(s2;si)) C TVar(S2). 

Then, by Theorem after terminating execution of Si 
and Si, value stores cti and cri agree on values of the 
termination deciding variables of si; si and S2; si, 

Vx G TVar(si; si) U TVar(s2; si) : CTi(x) = CTi(x). 

We show that the execution of S2 terminates by the hypoth¬ 
esis IH. By Corollarv lE.il 

(Si; si; si, mi (cti)) A (si; si, mi (cri)) and (Si;s2;si, 
m2(CT2)) —>■ (s2; si, mi(CTi)). By assumption. Si termi¬ 
nates, then si terminates, (si,mi(CTi)) A (skip, mi'(CTi')). 
Because si =% S2, to apply the induction hypothesis, we 
need to show that all required conditions hold. 

• size(s2) -I- size(si) < k. 

By definition, sizeiSi) > l,size(Si) > l,size(si) > 

1 , size(si) > 1 . 

• Value stores a" and cri agree on values of the termina¬ 
tion deciding variables of si and S2. Vx G TVar(si) U 
TVar(s2) : CTi'(x) = CTi(x). 

By Corollarv l 5 .ll TVar(si) = TVar(s2). Because of the 
condition Def(si) n TVar(si) = 0 , by Corollary IE .21 
value stores a" and cri agree on values of the termi¬ 
nation deciding variables of si, Vx G TVar(si) : 

CTi (x) = cri (x). By the argument above, Vx G TVar(s2) : 
CTi(x) = CTi(x). Thus, the condition holds. 

By the induction hypothesis IH, =h (s2,m2(CT2)). 

Because the execution of si terminates, then the exeuc- 
tion of S2 terminates when started in the state mi (cri), 
(s2,mi(CTi)) A (skip,mi'(cri')). 

We show that the execution of si terminates. This is by the 
1) similar argument that S2 terminates. 

In conclusion, S2 terminates when started in the state 
m2(CT2). The theorem holds. 

In addition, we show that it is impossible that si and si both 
include input statements by contradiction. Suppose there 
are input statements in both si and si. By Lemma [ 5.1 II 
id I G Def(si) n TVar(si). A contradiction against the 
condition that Def(si) n TVar(si) = 0 . Similarly, there 
are no input statements in both S2 and s^. 
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□ 

5.3.3 Supporting lemmas for the soundness proof of 
termination in the same way 

The supporting lemmas include various properties of TVar(S'), 
two statement sequences satisfying the proof rule of termination 
in the same way consume the same number of input values when 
both terminate, and the proof for the case of while statement of 
theorem |4] 

The properties of the termination deciding variables 

Lemma 5.4. The crash variables of Si ; S'l is same as the union 
of the crash variables of Si and the imported variables in Si 
relative to the crash variables of S'l, CVar{Si', S'l) = CVar{Si) U 
Imp{Si, CVar (S'l)). 

Proof. Let S'l — si;Sfe for fc > 0. We show the lemma by 
induction on k. 

Base case. 

By the definition of CVar(S'), the lemma holds. 

Induction step. 

The hypothesis IH is that CVar(Si;si; ...;Sk) = CVar(S'i) U 
Imp(S'i, CVar(si;...; Sk)) for k > 1. 

Then we show that the lemma holds when S'l = si;...; Sfc+i. 

CVar(Si;si; ...;Sfe+i) 

= CVar(Si;si) U Imp(S'i; si, CVar(s2;...; Sfc+i)) by IH 
CVar(S'i;si) 

= CVar(Si) U Imp(5'i, CVar(si)) (1) 

Imp(S'i; si,CVar (s 2 ;...; Sfc+i)) 

= Imp(S'i,Imp(si;CVar (s2; ...;Sfe+i))) (2) 

Combining (1) and (2), we have 

CVar(Si; si) U Imp(S'i; si, CVar (s2;...; Sfc+i)) 

= CVar(S'i) U Imp (S'l, CVar (si)) 

U Imp (Si,Imp(si;CVar (s2; ...;Sfc+i))) 

= CVar(Si) U Imp(Si, CVar(si) U Imp(si; CVar(s2;...; Sfc+i))) 
by Lemma IC^ 

= CVar(Si) U Imp(Si,CVar(si;...; Sfc+i)). 

□ 

Lemma 5.5. The loop deciding variables of Si ; S'l is same as 
the union of the loop deciding variables of Si and the imported 
variables in Si relative to the loop deciding variables of S'l, 
LVar{Si', S'l) = LVar{Si) U Imp{Si,LVar (S'l)). 

By proof of Lemma 153] similar to that of lemma lS^ above. 

Lemma 5.6. If two statement sequences Si and S2 satisfy the proof 
rule of termination in the same way, then Si and S2 have same loop 
variables, (Si =§ S2) ^ {LVar{Si) — LVar(S2)). 

Proof. By induction on size(Si)+size(S2), the sum of the program 
size of Si and S2. 

Base case. 

Si and S2 are simple statement. There are three base cases 
according to the definition of si =H 82- 

1. two same simple statements. Si = S2; 

2. Si and S2 are input statement with same type variable: Si = 
“input idi”, S2 = “input id2” where (TSj h idi : t) A {Ts^ h 
id2 : t);. 

3. Si = “output e” or “idi ■= e”, S2 = “output e” or “id2 := e” 
where both of the following hold: 


• There is no possible value mismatch in “idi ■= e”, 
“■(Tsi h idi : Int) V “■(Tsj^ h e : Long) V (Tg^ h e : Int). 

• There is no possible value mismatch in “id2 := e”, 
-'(rs2 1“ id2 : Int) V -'(Tss h e : Long) V (Tsj h e : Int). 

By the definition of loop variables, LVar(Si) = LVar(S2) = 0 in 
both base cases. Therefore, Lemma [5)6l holds. 

Induction Step. 

The hypothesis IH is that Lemma |5)6] holds when size(Si) + 
size(S2) = k >2. 

We show that Lemma |5)6] holds when size(Si) + size(S2) = 

k + 1. 

The proof is a case analysis according to the cases in the defini¬ 
tion of (Si =i S2): 

1. Si and S2 are one statement and one of the following holds. 

(a) Si = ‘Tf(e) then {Sf} else {Sf}”, S2 = ‘Tf(e) then {S2} 
else {S2 }” such that one of the following holds: 

i. Si,S(, S2, S| are all sequences of “skip”; 

By the definition of loop variables, LVar(Si) = LVar(S/) = 
LVar(S2) = LVar(S|) = 0. Therefore, by the defini¬ 
tion of loop variables, LVar(Si) = LVar(S2) = 0. The 
lemma l5.6l holds. 

ii. At least one of Si,S{,S2,S| is not a sequence of 
“skip” such that: (Sj =% S2) A (S/ =§ S|); 
size(S() -I- size(S2) < fc, size(S/) -I- size(S|) < k. 

Then, by the hypothesis IHl,LVar(Si) = LVar(S2),LVar(S/) 
LVar(S|). Consequently, (LVar(S);) U LVar(S/)) = 
(LVar(S2) U LVar(S|)) = LVar(A). When LVar(A) = 

0, then LVar(Si) = LVar(S2) = 0 by the defi¬ 
nition of loop variables. When LVar(A) 7^ 0, then 
LVar(Si) = LVar(S2) = LVar(A) U Use(e) by the 
definition of loop variables. The lemma lS^ holds. 

(b) Si = “while(„j)(e){Si }”, S2 = “while^^^) (e){S2 }” such 
that both of the following hold: 

- qU _ S off. 

• *^1 =H ^2 5 

• Si and S2 have equivalent computation of TVar(Si) U 
TVar(S2); 

By the hypothesis IHl, LVar(Si) = LVar(S20- Then 
Use(e) U LVar(Si) = Use(e) U LVar(S20- Then, we show 
that: 

Vi > 0, Imp(Si \Use(e)ULVar(Si)) = Imp(S2”, Use(e)U 
LVar(S20) hy induction on i. 

Base case 

By our notation S°, S”° = skip, S2 ° = skip. Then, by the 
definition of imported variables, 

Imp(S('°,Use(e) U LVar(S(')) = Use(e) U LVar(S('), 
Imp(S^'°,Use(e) U LVar(S^')) = Use(e) U LVar(S^'). 

Then, Imp(Si°,Use(e)ULVar(Si)) = Imp(S2°,Use(e)U 

LVar(S^'))- 

Induction step 

The hypothesis IH3 is that, Vi > 0, Imp(Si *, Use(e) U 

LVar(S(')) = Imp(S^'\Use(e) U LVar(S^'))- 

Then we show that Imp(Si Use(e) U LVar(S”)) = 

Imp(Sr'^\ Use(e) U LVar(S^'))- 

By Corollarv lC.il 

Imp(Si Use(e)ULVar(Si)) = Imp(Si, Imp(Si *, Use(e)U 
LVar(Sn)), 

Imp(S2 Use(e)ULVar(S20) = Imp(S2^ Imp(S2 *, Use(e)U 

LVar(S^')))- 

By the hypothesis IH3, Imp(Si*,Use(e) U LVar(S”)) = 
Imp(S2”,Use(e) U LVar(S2 )) = LVar(A). 
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Besides, by the definition of loop variables, LVar(A) C 
LVar(S'i),LVar(A) C LVar(5'2). 

Then, 

Imp( 5 i', Imp( 5 f, Use(e) U LVar( 5 '('))) 

= Imp^Si, LVar(A)) _ 

= Imp(52^ LVar(A)) by Lemma l 5 . 3 l 
= Imp(S'2,Imp(S'2",Use(e) ULVar(5'2))) 

In summary, LVar(S'i)) = LVar(S'2). The lemma lJibl holds. 

2. 5 i and S2 are not both one statement and one of the following 
holds: 

(a) Si = S'l] Si and S2 = 82', S2 such that all of the following 
hold: 

• S[ =% S'2-, 

• S'l and S2 have equivalent computation of TVar(si) U 
TVar(s2); 

• Si =% S2 where si and S2 are not “skip”; 

By the hypothesis IHl, LVar(S'J) = LVar(S'2), LVar(si) = 
LVar(s2) = LVar(A). Besides, 

Imp(S 5 , LVar(si)) = LVar(52, LVar(s2)) by Lemma 15.31 
Therefore, LVar( 5 'i) = LVar(S2) by the definition of loop 
variables. The lemma lS^ holds. 

(b) One last statement is “skip”: w.l.o.g., 

(( 5 l =% S'2) A (S2 = “skip”)). 

By the hypothesis IHl, LVar(S'i) = LVar(S'2) . Besides, 
LVar(s2) = 0 by the definition of loop variables. Therefore, 
LVar( 5 i) = LVar(5'2) = LVar(5'2) U Imp(52,0). The 
lemma 15.61 holds. 

(c) One last statement is a “duplicate” statement such that one 
of the following holds: 

W.l.o.g. S'l = S); si; S”; si and all of the following hold: 

• Si;si;Si'=|S2; 

• si =% si; 

• Def(si;Si') nTVar(si) = 0 ; 

• S2 “skip”; 

By the hypothesis IH, LVar(Si; si; S'l) = LVar(S2). 

Then, we show thatLVar(Si; si; S") = LVar(Si; si; S"; Si). 
By the induction hypothesis IH, LVar(si) = LVar(si). 

LVar(Si;si;Si';si) 

= LVar(Si; si; Si') U Imp(Si; si; S)',LVar(si)) 
by the definition of loop variables 

Imp(Si; si; Si',LVar(si)) 

= Imp(Si, Imp(si; S)', LVar(si))) by Lemma|cT] 

= Imp(Si, LVar(si)) by Def(si; S”) n TVar(si) = 0 
= Imp(Si, LVar(si)) by LVar(si) = LVar(si) 

C LVar(Si; si) by the definition of loop variables 
C LVar(Si; si; S") by Lemma 153 ] 

In conclusion, LVar(Si; si; S"; Si) = LVar(Si; si; S"). 
The lemma holds. 

(d) Si = S); Si; si; and S2 = Si; S2; si where si and S2 are 
reordered and all of the following hold: 

• S'l =i si; 

• Si and Si have equivalent computation of TVar(si; si)U 
TVar(s2; si). 

• Si =fj si; 

• si =% S2; 

• Def(si) nTVar(si) = 0 ; 

• Def(s2) n TVar(si) = 0 ; 

By the hypothesis IH, LVar(Si) = LVar(Si),LVar(si) = 
LVar(si),LVar(si) = LVar(s2). 


In the following, we show LVar(Si) = LVar(S2) in three 
steps. 

i. We show LVar(Si; si; si) = LVar(Si) 

Ulmp(Si, LVar(si)) U Imp(Si,LVar(si)). 

LVar(Si; si; si) 

= LVar(Si; si) U Imp(Si; si,LVar(si)) 
by the definition of loop variables 

LVar(Si; si) 

= LVar(Si) U Imp(Si, LVar(si)) ( 2 ) 
by the definition of loop variables 

Imp(Si;si,LVar(si)) 

= Imp(Si, Imp(si, LVar(si))) by Lemma lC.il 
= Imp(Si,LVar(si)) ( 3 ) 
by the condition Def(si) n TVar(si) = 0 

According to ( 2 ) and ( 3 ), LVar(Si; si; si) = LVar(Si)U 
Imp(Si, LVar(si)) U Imp(Si,LVar(si)). 

Similarly, LVar(Si; S2; si) = LVar(Si)U 
Imp(Si,LVar(s2)) U Imp(Si,LVar(si)). 

ii. We show that Imp(Si, LVar(si)) = Imp(Si, LVar(si)). 
Imp(Si,LVar(si)). 

We need to show that LVar(si) C LVar(si;si) and 
LVar(si) C LVar(s2;si). By the definition of loop 
variables, LVar(si) C LVar(si;si). By the definition 
of loop variables again, LVar(s2;si) = LVar(s2) U 
Imp(s2,LVar(si)). Because Def(s2) n TVar(si) = 0 , 
Imp(s2,LVar(si)) = LVar(si). 

By the induction hypothesis IH, LVar(si) = LVar(si). 
By Lemma l 5 . 3 l Va; G LVar(si) = LVar(si), Imp(Si, {x}) 
Imp(Si, {*}). By Lemma Imp(Si, LVar(si)) = 
Imp(Si,LVar(si)). 

iii. We show that Imp(Si, LVar(si)) = ImpiSi, LVar(s2)). 
By the similar argument that ImpiS'i,LVar(si)) = 
Imp( 5 i,LVar(si)). 

In conclusion, LVar( 5 i; si; si) = LVariSi; S2; si). 

□ 

Lemma 5.7. If two statement sequences Si and S2 satisfy the proof 
rule of termination in the same way, then Si and S2 have same 
crash variables, {Si =§ S2) ^ {CVar{Si) — CVar{S2))- 

By proof similar to those for Lemma 1531 

Corollary 5.1. If two statement sequences Si and S2 satisfy 
the proof rule of termination in the same way, then Si and S2 
have same termination deciding variables, {Si =% S2) ^ 
{TVar{Si) = TVar{S2)). 

By Lemma 1531 and l 5 . 7 l 

Properties of the input sequence variable 

Lemma 5.8. If there is no input statement in a statement sequence 
S, then the input sequence variable is not in the defined variables 
ofS, {$“input x” G S) => idi ^ Def{S). 

Proof. By induction on abstract syntax of S. □ 

Lemma 5.9. If there is no input statement in a statement sequence 
S, then the input sequence variable is not in the crash variables of 
S, {$‘Input x" G 5 ) {idi ^ CVar{S)). 

Proof By induction on abstract syntax of S. □ 
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Lemma 5.10. If there is no input statement in a statement sequence 
S, then the input sequence variable is in the loop variables of S, 
{$“input x” € S) => {idj ^ LVar{S)). 

Proof. By induction on abstract syntax of S. □ 

Corollary 5.2. If there is no input statement in a statement se¬ 
quence S, then the input sequence variable is in the termination 
deciding variables of S, {$“input x” € S') => {idj (f: TVar{S)). 

By Lemma lS^ and lS.lOl 

Lemma 5.11. If there is one input statement in a statement se¬ 
quence S, then the input sequence variable is in the crash vari¬ 
ables and defined variables of S, {3 “input x” € S) ^ {idi € 
CVar{S)) A {idi € Def{S)). 

Proof By induction on abstract syntax of S. □ 

Lemma 5.12. If there is one input statement in a statement se¬ 
quence S, then the imported variables in S relative to the in¬ 
put sequence variable are a subset of the crash variables of S, 

{3 “input x" G S) {Imp{S,{idi}) C CVar{S)). 

Proof. By induction on abstract syntax of S. 

1 . S = “input x". 

By the definition of CVar(-) andlmp(-), CVar(S) = Imp(S, {idi}) = 
{idi}. 

2 . S = “If(e) then {St} else {S/}”. 

W.l.o.g., there is input statement in St, by the induction hy¬ 
pothesis, Imp(St, {idi}) C CVar(St). There are two subcases 
regarding if input statement is in S/. 

(a) There is input statement in S/. 

By the induction hypothesis, Imp(S/, {id/}) C CVar(S/). 
Hence, the lemma holds. 

(b) There is no input statement in S/. 

By the definition of imported variables, Imp(S/, {idi}) = 

{idi}. By Lemma B.lII idi G CVar(St). Therefore, the 
lemma holds. 

3 . S= “while<„)(e){S'}”. 

By the induction hypothesis, Imp(S', {idi}) C CVar(S'). 

By the definition of Imp(-), Imp(S', {id/}) = Imp(S'*, {idj}U 
Use(e)). By the definition of CVar(-), CVar(S') = 

U>o Imp(S", CVar(S') U Use(e)). 

By induction on i, we show that, Vi > 0 , Imp(S'*, {id/} U 
Use(e)) C Imp(S”, CVar(S') UUse(e)). 

Base case i = 0 . 

By notation S'^ = skip. 

Imp(S''^, {id/} U Use(e)) 

= {id/} U Use(e) by the definition of imported variables 
Imp( 5 '“,CVar(S') UUse(e)) 

= CVar(S') U Use(e) by the definition of imported variables 

id/ C CVar(S") ( 1 ) by Lemma lS.l II 

Imp(S'''^, {id/} U Use(e)) 

C Imp)^'^, CVar)^') U Use(e)) by Lemma lC^ 

Induction step. 

The hypothesis IHl is that Imp)^'', {id/} U Use(e)) C 
Imp( 5 '*, CVar)^') U Use(e)) for i > 0 . 

Then we show that Imp(S”'''^, {id/} U Use(e)) 

C Imp( 5 ''‘+\CVar(S') U Use(e)) 


Imp)^'*, {id/} U Use(e)) 

C Imp)^”, CVar)^') U Use(e)) ( 1 ) by the hypothesis IHl 
Imp(S'”'''^, {id/} U Use(e)) 

= Imp)^', Imp( 5 "*, {id/} U Use(e))) ( 2 ) by Corollarv lC.il 

Imp(S'"+\CVar( 5 ') U Use(e)) 

= Imp( 5 ', Imp( 5 ''*, CVar)^') U Use(e))) ( 3 ) by Corollarv lC.il 


Combining ( 1 ), ( 2 ) and ( 3 ): 

Imp)^', Imp)^”, {id/} U Use(e))) 

C Imp)^', Imp( 5 "*, CVar)^') U Use(e))) by Lemma IC^ 

Therefore, Imp(S”'''^, {id/}UUse(e)) C Imp( 5 ”''''^, CVar(S')U 
Use(e)). 

In conclusion, Imp)^, {id/}) C CVar(S'). 

4 . S = si ;...; Sk, for k > 0. 

By induction on k. 

Base case, fc = 1 . 

By above cases, the lemma holds. 

Induction step. 

The induction hypothesis IH 2 is that the lemma holds when 
fc > 0 . We show that the lemma holds when S = Si ;...; Sfe+i. 

By the definition of crash variables, CVar(si;...; s^+i) = 
CVar(si;...; Sk) U Imp(si;...; CVar(si;+i)).There are two 
possibilities. 

(a) J “input x” G Sfe+i. 

By Lemma| 5 ) 8 ] id/ ^ Def(S'). 

Imp(si; ...; Sfc+i, {id/}) 

= Imp(si;...; Sk, {id/}) by id/ ^ Def(S') and 
the definition of imported variables 
C CVar(si;...; Sk) by the hypothesis IH 2 
C CVar(si;...; Si;+i) by the definition of crash variables 

(b) 3 “input a;” G s^+i. 

Imp(si;...; Sfe+i, {id/}) 

= Imp(si;...; Sfe,Imp(sfe+i, {id/})) 
by the definition of imported variables 

Imp(sfe+i, {id/}) 

C CVar(s/;+i) by the hypothesis IH 2 

Imp(si;...; Sfc, Imp(sfe+i, {id/})) 

C Imp(si;...; Sfe, CVar(sfe+i)) by Lemma lC^ 

C CVar(si;...; s^+i) by the definition of crash variables. 

□ 

Lemma 5.13. If two programs Si and S2 satisfy the proof rule of 
termination in the same way, then Si and S2 satisfy the proof rule 
of terminating computation in the same way of the input sequence, 
{Si =i S2) ^ isi =1^ S2). 

Proof. By induction on size( 5 'i) + size(S'2). 

Base case. Si and S2 are simple statements. 

There are three cases. 

1 . Si and S2 are “skip”: Si = S2 = “skip”; 

2 . Si and S2 are input statement: Si = “input idi”, S2 = 
“input ida”; 
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3 . Si and S2 are with the same expression: si = “output e” or 
“idi := e”, S2 = “output e” or “id2 := e”. 

By definition of the proof rule of equivalent computation, the 
lemma holds in above three cases. 

Induction step. 

The hypothesis IH is that the lemma holds when size( 5 'i) + 

size(S 2 ) = k > 2. 

Then, we show that the lemma holds when size( 5 'i)+size(S 2 ) = 
k + 1. The proof is a case analysis of the cases in the proof rule of 
termination in the same way. 

1 . Si and S2 are one statement and one of the followings holds. 

(a) 5 i = “If(e) then {Si} else {S{}”, S2 = “If(e) then {S2} 
else {S2 }” and one of the followings holds: 

i. Si,S(,82, S| are all sequences of “skip”; 

By Lemma [ 5 ^ idi ^ Def(Si) n DefS2. The lemma 
holds. 

ii. At least one of S{,S/,S2,S| is not a sequence of 
“skip” such that: 

(Si =% S2) A {S( =% S|); 

Because size(Si) = l+size(Si)+size(S/), size(S2) = 
l+size(S2)+size(S2). Therefore, size(Si)+size(S2) < 
k, size(S/) + size(S2 ) < fe. By the induction hypothe¬ 
sis IH, (S{ =fcij S2)A{S( =idj S|). Then, the lemma 
holds by the definition of Si =idj S2. 

(b) Si = “while(„j)(e){S"}”, S2 = “while^^^) (e){S2 }” and 
both of the followings hold: 

- o // _ 5 q//. 

• *^1 =H ^2 5 

• Si and S2 have equivalent computation of TVar(Si) U 
TVar(S2); 

By the induction hypothesis IH, S” =fdj S2 ■ In addition, 
by Corollary 15.11 TVar(Si) = TVar(S2). There are two 
cases. 

i. idi € TVar(Si) = TVar(S2). 

We show that idi G Def(Si) n Def(S2). If there is 
no input statement in Si or S2, then, by Corollary 15.21 
idi ^ TVar(Si) n TVar(S2). A contradiction. Thus, 
there is input statement in Si and S2, by Lemma [ 5 . Ill 
idi € Def( Si) PI Def(S2). 

By Lemma [5 . 121 Imp(Si, {id/}) C CVar(Si). Simi¬ 
larly, Imp(S2, {idi}) C TVar(S2). Hence, loop bodies 
of Si and S2 equivalently compute every of the im¬ 
ported variables in Si and S2 relative to the input se¬ 
quence variable, Va; G Imp(Si, {zd/})Ulmp(S2, {id/}). 
Si =f 82. Thus, the lemma holds. 

ii. idi ^ TVar(Si) = TVar(S2). 

Then there is no input statement in Si and 82- Oth¬ 
erwise, by Lemma | 5 . Ill (id/ G CVar(Si)) V (idi G 
CVar(S2)). A contradiction. Then by Lemma| 5 ( 8 ] id/ ^ 
(Def(Si) n Def(S2)). Hence, the lemma holds. 

2 . Si and 82 are not both one statement and one of the followings 
holds: 

(a) Si = S}; Si and 82 = 82; S2 and all of the followings hold: 

• Si =% S2; 

• Si and 82 have equivalent computation of TVar(si) U 
TVar(s2); 

• Si S2 where si and S2 are not “skip”; 

By the induction hypothesis IH, si =idj S2. By Corol- 
larv l 5 .ll TVar(si) = TVar(s2). There are two cases. 


i. idi G TVar(si) = TVar(s2) 

Then there is input statement in si and S2. Otherwise, by 
Lemma | 5 ^ id/ ^ TVar(si) = TVar(s2). A contradic¬ 
tion. Then, by Lemma [ 5.1 II id/ G Def(si) n Def(s2). 

By Lemma lSJ] Imp(si, {id/}) = Imp(s2, {id/}). 

By Lemma 15.121 Imnisi. fidiII C CVar(si, {id/}). 
Therefore, S} and 82 equivalently compute Imp(si, {id/})U 
Imp(s2, {id/}). The lemma holds. 

ii. idi 4- TVar(si) = TVar(s2). 

Then, there is no input statement in si and S2. Other¬ 
wise, by Lemma lS.llI id/ G CVar(si) = CVar(s2). A 
contradiction. Then, by Lemma | 5 ) 8 ] id/ ^ Def(si) U 
Def(s2). By the induction hypothesis IH, S} =idj 82- 
The lemma holds. 

(b) One last statement is “skip”: W.l.o.g., ((Si S2 )A(si = 
“skip”)) 

By the induction hypothesis, S} =idj 82- By definition, 
idi ^ Def(si). The lemma holds. 

(c) One last statement is a “duplicate” statement such that one 
of the followings holds: 

W.l.o.g., Si = S}; s}; S”; si and all of the followings hold: 

. S{;s'i;Sr=|S2; 

• Si =ii si; 

• Def(s'i; Si) n TVar(si) = 0 ; 

• S2y^ “skip”. 

By the induction hypothesis, Si;Si;Si =fdj 82- In the 
proof of Theorem 13 there is no input statement in S2. Be¬ 
cause Vx : “input x” ^ S2, by Lemma l 5 . 8 | idr ^ Def(si). 

The lemma holds. 

(d) Si = S}; si; s}; and 82 = S2; S2; S2 where si and S2 are 
reordered and all of the followings hold: 

• S{ =li S^; 

• Si and 82 have equivalent computation of TVar(si; Si)U 
TVar(s2; S2). 

• Si S2; 

• S'l =ji S2-, 

• Def(si) nTVar(s'i) = 0 ; 

• Def(s2) n TVar(s2) = 0; 

In the proof of Theorem!?] we showed that si and S2 do not 
both include input statement, S2 and S2 do not both include 
input statement. There are two subcases. 

i. There are no input statements in both si and s). 

We show that there are no input statements in both 
S2 and S2. By Corollary 15.11 TVar(si) = TVar(s2) 
and TVar(s'i) = TVar(s2). By Corollary 15.21 idi ^ 
TVar(si)UTVar(si). Thus, idi 4- TVar(s2)UTVar(s2). 

If there is input statement in S2 or s'2, then, by Lemma lS.llI 
idi ^ TVar(s2) U TVar(s2). A contradiction. In sum¬ 
mary, there are no input statements in both S2 and S2. 

By Lemma l 5 . 8 l idr ^ Def(si; s}) and id/ ^ Def(s2;S2). 

By the induction hypothesis. Si =fdj S2. Therefore, the 
lemma holds. 

ii. W.l.o.g, there are input statements in si only. 

By similar argument in the proof of Theorem | 4 | that si 
and S2 do not both include input statements, we can 
show that there is no input statement in S2 and there is 
input statement in S2. 

In the following, the proof is of two steps. 

A. We show that si; s} =fdj 82- 

By the induction hypothesis IH, si =fdj 82- Be¬ 
cause there is no input statement in s), then by 
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Lemma | 5 ^ idj ^ Def(si). Thus, si;s'i =fd[ ^'2 
by definition. 

B. We show that S[ and 82', S2 equivalently compute 
Imp(si; s'i,{idi}) U Imp(s2, {idi}). 

The argument is of two parts. First, we need to 
show that Def(s2) H Imp(s2, {*dr}) = 0 - By 
Lemma [ 5.121 Imp(s2, {id/}) C CVar(s2). Thus, 
Imp(s2, {idi}) C TVar(s2). By assumption, Def(s2)n 
TVar(s2) = 0 . Then, Def(s2)nlmp(s2, {id/}) = 0 . 
BvLemma l 5 . 3 l Imp(si; s'l, {idj}) = Imp(s2, {id/}). 
Thus, Def(s2) n Imp(si; s}, {idi}) = 0 . 

Second, we show thatlmp(s2, {idi}) C TVar(s2; S2) 
and Imp(si; s}, {idi}) C TVar(si; s}). By Lemma l 5 . 12 l 
Imp(si; s'l, {id/}) C TVar(si; s}) andlmp(s2, {id/}) C 
TVar(s2)-Then we show that TVar(s2) C TVar(s2;S2)- 
We need to show that CVar(s2) C CVar(s2; S2) and 
LVar(s2) C LVar(s2;S2). 

CVar(s2; S2) 

= CVar(s2) U Imp(s2, CVar(s2)) 
by the definition of crash variables 

Imp(s2,CVar(s2)) 

= CVar(s2) ( 1 ) by the assumption 
Def(s2) n TVar(s2) = 0 

CVar(s2) U Imp(s2, CVar(s2)) 

= CVar(s2) U CVar(s2) by ( 1 ) 

Similarly, LVar(s2) C LVar(s2; S2). Thus, TVar(s2) Q. 

TVar(s2;S2)- 

By assumption, Va; £ Imp(si; s}, {id/})Ulmp(s2, {id/}) 
S[ =f 52 . In addition, Def(s2)n(Imp(si; s'l, {id/})U 
Imp(s2, {id/})) = 0 . Thus, V* £ Imp(si; s}, {id/})U 
Imp(s2, {id/}) : 8} =f 5 ^; s2. The lemma holds. 

□ 

Lemma 5.14. If two programs 81 and 82 satisfy the proof rule 
of termination in the same way, and 81 and 82 both terminate 
when started in their initial states with crash flags not set, = 

{2 = 0, whose value stores agree on values of variables of the 
termination deciding variables of 81 and 82, V® £ TVar{8i ) U 
TVar{82),(Ti{x) = 0-2(2:), and 81 and 82 are fed with the same 
infinite input sequence, ai{idi) = a2{idi), ( 5 i, o-i) —> 

{skip,m'i{a'i)) and (52,m2({2,0-2) A {skip,m2{o2)), then the 
execution of 81 and 82 consume the same number of input values, 
o[{idi) = 02{idi). 

Proof. BvLemma l 5 . 13 l 5 i =fdi 52 . By Lemma l 5 . 12 l Impl 5 i .idA C 
CVar( 5 i) and Imp( 52 ,id/) C CVar( 52 ). By assumption, Va: £ 
Imp( 5 i, id/) U Imp( 52 , id/) : a\{x) = 0-2(2:). By Theorem | 2 l 
cj[{idi) = 02{idi). □ 

Theorem of two loop statements terminating in the same way 

Lemma 5.15. Let si = “w/jde(„j)(e){ 5 i}” and 
S2 = “w/ide(„2> (e){52}” be two while statements with the same 
set of termination deciding variables in program Pi and P2 respec¬ 
tively, whose bodies 5 i and 82 satisfy the proof rule of equivalently 
computation of variables in TVar{s), and 81 and 82 terminate in 
the same way when started in states with crash flags not set and 
agreeing on values of variables in TVar{8i) U TVar{82): 

• TVar{si) = TVar{s2) = TVar{s); 

• Va: £ TVar{s) : 5 i =f 82; 


• Vmsi (fsi, o-si) ms 2 (fe ,<2-52) : 

(((Vz £ TVar{8i) U TVar{82)),(iSi{z) = 0-52(2)) A (fsi = 

fS2 = 0)) ^ 

{8i,msi{fsi,o-Si)) =H ( 52 ,ms 2 (fs 2 ,o-S 2 ))- 

If Si and S2 start in the state mi(fi, loop}, ai) and 
m2 if 2, loop}, 02) respectively in which crash flags are not set, 
fi = f2 = 0 , si and S2 have not already executed, loop}(ni) = 
loop}{n2) ~ 0 , value stores ai and 02 agree on values of variables 
in TVar{s), Va: £ TVar{s) : oi{x) = 0-2(2:), then, for any positive 
integer i, one of the following holds: 

1. The loop counters for si and S2 are less than i where Si and S2 
terminate in the same way: 

Vm'i m2 : (si,mi) A {8'i,m'i{loop} )) and {s2,m2) A 
{82,m2{loop} )), loop} (ni) < i and m} (02) < i and one 
of the following holds: 

(a) Si and S2 both terminate: 

(si,mi) A {skip,mi) and (s2,m2) A (skip,m2). 

(b) Si and S2 both do not terminate: 

k k 

VA: > 0 : (si,mi) —^ (‘S'ij,,mi^) and (s2,m2) 

{82k, m2fc) in which 5 ij, skip, 82^ skip. 

2 . The loop counters for si and S2 are less than or equal to i 
where si and S2 do not terminate such that there are no config¬ 
urations }si,mi-) and (s2,m2j) reachable from (si,mi) and 
(s2, m2), respectively, in which crash flags are not set, the loop 
counters of si and S2 are equal to i, and value stores agree on 
the values of variables in TVar{s): 

• Vm'imj : (si,mi) A ( 5 i, m'i(Zoop): )), (s2, m2) A 
{82, m'2(loop})) where 

loop} (ni) < i,loop} (n2) < i; 

• VA: > 0 : 

(si,mi) ( 5 i^,mij,), (S2,m2) {82i,,m2^) where 

8if. -f skip, 82,. 7^ skip; and 

• ${si, mi.) (s2, m2j : 

(si,mi) A (si,miflfi,loop}\aiJ)A 
(S2,m2) A (s2, m2flf2,loop}\ 02J) where 

■ fi = {2 = 0,- and 

■ loop}'{ni) = loop}f{n2) = i; and 

■ Va: £ TVar{s) : oi^ (x) = 02^ (x). 

3 . There are two configurations (si,mi^) and (s2,m2j) reach¬ 
able from {si,mi) and {s2,m2), respectively, in which both 
crash flags are not set, the loop counters of si and S2 are 
equal to i and value stores agree on the values of variables in 
TVar{s), and for every state in execution [si,mi) A (si,mi^) 
or (s2,m2) A (s2,m2j), the loop counters for si and S2 are 
less than or equal to i respectively: 

3 (si,miJ (S2,m2j : (si,mi) A (si,m/.(fi,/oop),So-iJ)A 
(S2,m2) A (s2,m2flf2,loop}\ 02-)) where 

• fi = {2 = 0,- and 

• loop}' (ni) = loop}' (112) = i; and 

• Va: £ TVar{s) : (a:) = 0-2^ (a:); and 

• Vm'i : (si,mi) A ( 5 {,m'i(mJ )) A (si,mij, 
loop} (ni) < i; and 

• Vm 2 ■. (S 2 ,m 2 ) A {82,m2{m} )) A (s2,m2}), 

loop} (112) < i; 


Proof. By induction on i. 
Base case, i = 1 . 
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By assumption, initial loop counters of si and S2 are of value 
zero. Initial value stores and cr2 agree on the values of variables 
in TVar(s). Then we show one of the following cases hold: 


->-(while(„^) ( 0 ) {S'!}, mi(l/fi)) by the ECrash rule 

■^(while(„^)( 0 ) {S'i},mi(l/fi,loopJ,cri)), 
for any A; > 0 , by the Crash rule. 


1 . The loop counters for si and S2 are less than 1 , si and S2 
terminate in the same way: 

Vm'i m2 such that (si, mi) A (S'!, m) (loop); ))and(s2,m2) A 
( 52 ,m 2 (loop)')), 

m) (ni) < landm) (n2) < 1 and one of the following holds: 

(a) Si and S2 both terminate: 

(si,mi) —>■ (skip,m'/) and (s2,m2) (skip,m^O- 

(b) Si and S2 both do not terminate: 

Vfc > 0 , (si,mi) ->■ ( 5 'ij,,mij,) and(s2,m2) {S2k,m2^) 
in which Sl^. ^ skip, 5 ' 2 j, ^ skip. 

2 . The loop counters for si and S2 are less than or equal to 1 , 
and Si and S 2 do not terminate such that there are no configu¬ 
rations (si,mij) and (s2,m2i) reachable from (si,mi) and 
(s2, m2), respectively, in which crash flags are not set, the loop 
counters of si and S2 are equal to 1 and value stores agree on 
the values of variables in TVar(s): 

• Vm'im2 : (si,mi) A (Si,m'i(loop) )), (s2,m2) A 
(S2,m2(loop) )) where loop) (m) < i,loop) (712) < i; 

• Vfc > 0 : (si,mi) A (Sifc,mij,), (S2,m2) A (S2s,,m2fc) 

where Si^ 7^ skip, S2j, 7^ skip; and 

J(si,miJ, (s2,m2i) : (si, mi) A (si, mi^ (fi, loop)i, aii))A 
(S2,m2) A (s2,m2i(f2,loop)i,CT2i)) where 

■ fi = f2 = 0; and 

■ loop)i (ni) = loop)'^ (112) = 1; and 

■ Vx e TVar(s) : crij (x) = (T2i (x). 

3 . There are two configurations (si,mij) and (s2,m2i) reach¬ 
able from (si, mi) and (s2, m2) respectively, in which the loop 
counters of si and S2 are equal to 1 and value stores agree on 
the values of variables in TVar(s) and, for every state in execu¬ 
tion, (si, mi) A (si, mij) or (s2, m2) A (s2, m2i) the loop 
counters for si and S2 are less than or equal to 1 respectively: 
3 (si,miJ (S2,m2i) : (si, mi) A (si, mi^ (fi, loop)i, crij))A 
(S2,m2) A (s2,m2i(f2,loop)i,CT2i)) where 

• fi = (2 = 0; and 

• loop)i(ni) = loop)'^(ni) = 1; and 

• Vx G TVar(s) : ai^ (x) = a2i (x); and 

• Vm'i : (si,mi) A (S(,m'i(loop) )) A (si,mij, loop) (ni) f 
1; and 

• Vm2 : (S2,m2) A (S2,m2(loop) )) A (s2,m2i), loop) (n2) f 

1. 

We show evaluations of the predicate expression of si and S2 
w.r.t value stores ai and (T2 produce same value. By the definition 
of loop variables, LVar(si) = Uj>o Ittip(‘S'i, LVar(Si) UUse(e)). 

By our notation of S°, S? = skip. By the definition of loop 
variables, Use(e) C LVar(s) = LVar(si). By assumption, value 
stores (Ti and CT2 agree on the values of the variables in Use(e). By 
Lemma iDTl the predicate expression e of si and S2 evaluates to 
same value v w.r.t value stores ai, a2, £i'|e|(Ji = £i'|e|(J2. Then 
there are three possibilities. 

1. f'|e|cri = f'|e|cr2 = (error,*) 

The execution from (si, mi(fi, loop), ci)) proceeds as fol¬ 
lows. 

(si,mi(fi,loop),(Ji)) 

= (while(„^)(e) {Si}, mi(fi, loop), cri)) 

—>-(while(„j) ((error, *)) {Si}, mi(fi, loop), ai)) by the EEvaT ml 


Similarly, the execution of S2 started in the state m2 ({2, loop), a2 ) 
does not terminate. 

The loop counters of si and S2 are less than 1 : 

Vm'i m2 : (si,mi) A (S{, m'i(loop) )) and (s2,m2) A 
(S2,m2(loop) )) where loop) (m) < 1 and loop) (712) < 1 . 

Besides, si and S2 both do not terminate when started in states 

k 

mi and m2, VA: > 0 : (si, mi) —^ (Si^,, mi^) and (s2, m2) 

k 

{S2 ^,, m2fc) in which Si^ 7^ skip, S2^. 7^ skip. 

'• A|el|(Ti = S'le\(J2 = (0,uof) 

The execution of si proceeds as follows. 

(si, mi(loop), (Ji)) 

= (while<„j)(e) {Si}, mi (loop))) 

—^(while^nj^) (( 0 , Vgf)) {Si}, mi (loop))) by the EEvaT mle 
—^(while^nj^) ( 0 ) {Si}, mi (loop))) by the E-Oflowl or E-Oflow 2 rule 
—^(skip, mi) by the Wh-Fl rule. 

Similarly, (s2, m2(loop), (T2)) A (skip, m2). 

The loop counters for si and S2 are less than 1 : 

'rfm'im2 : (si,mi) A (S{, m'i(loop) )) and (s2, m2) A 
(S2,m2(loop) )) where loop) (ni) < 1 and loop) (712) < 1 . 

Besides, si and S2 both terminate when started in states mi and 
m2'. 

(si,mi) — 7 - (skip, m'l') and (s2,m2) —7 (skip, m'2'). 

. S'leJcTi = S'|eI|(T2 = {v,Vof) where v ^ { 0 , error}; 

The execution from (si, mi (loop), cti)) proceeds as follows. 

(si, mi(loop), (Ji)) 

= (while(„^)(e) {Si}, mi(loop), cri)) 

— 7 (while(„^) ((77, Uof)) {Si}, mi (loop), ai)) by the EEvaT rule 
- 7 (while<„j) (u) {Si}, mi (loop), (Ti)) 
by rule E-Oflowl or E-Oflow 2 
- 7 (Si; while<„j) (e) {Si}, mi (loop) [ 1 /(m)], ai)) 
by the Wh-Tl rule. 

Similarly, (s2, m2 (loop), 0-2)) A (S2; while(„2> (e){>S'2}, 
m2 (loop) [1/(712)], (72)). After two steps of executions of si 
and S2, crash flags are not set, the loop counter value of si and 
S2 are 1 , value stores cri and (T2 agree on values of variables in 
TVar(s). 

We show that TVar(Si) C TVar(s). By definition of loop 
variables, LVar(si) = U7>o Imp(>S'{, LVar(Si) U Use(e)). By 
notation of S°, S° = skip. By definition of imported vari¬ 
ables, Imp(S?,LVar(Si) U Use(e)) = LVar(Si) U Use(e). 

Then LVar(Si) C LVar(s). By similar argument, we have 
CVar(Si) C CVar(s). Hence, TVar(Si) C TVar(s). Simi¬ 
larly, TVar(S2) C TVar(s). By assumption. Si and S2 either 
both terminate or both do not terminate when started in state 
mi(loop)[l/(ni)], (Ti) and m2 (loop) [1/(712)], 0-2) in which 
Vt/ G TVar(A) U TVar(S2), o'i( 7 /) = o'2(y) and crash flags 
are not set. Then there are two possibilities: 

(a) Si and S2 both terminate when started in states mi( 
loop)[l/(ni)[, (Ti) and m2 (loop) [1/(712)], <72) respectively: 
(Si,mi(loop)[l/(ni)[,cri)) A (skip,miAfi,loop)i,crii)) 
and 

(S 2 ,m 2 (loop)[l/( 7 i 2 )[,cr 2 )) A (skip, m2i(f2,loop)i,(T2i)). 

We show that, after the full execution of Si and S2, the 
; following five properties hold. 
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• The crash flags are not set. 

By the definition of terminating execution, crash flags 
are not set, fi = f2 = 0. 

• The loop counter of si and S2 are of value 1 , loop^^ (ni) = 
loop^i(n2) = 1. 

By the assumption of unique loop labels, si ^ Si. Then, 
the loop counter value of ni is not redefined in the 
execution of Si by corollary IE. 2 I loop^[l/ni](ni) = 
loop^i (m) = 1 . Similarly, the loop counter value of 
is not redefined in the execution of S2, loop^[l/(n2)](n2) 

= loop^i(n2) = 1. 

• In any state in the execution (si, mi) A (si, mi^ (loop),^, crij)), 
the loop counter of si is less than or equal to 1. 

As is shown above, the loop counter of si is zero 
in any of the two states in the one step execution 
(si,mi) ->■ (while(„j^^) (n) {Si}, mi (loop);, ai)), and 
the loop counter of si is 1 in any states in the execution 
(Si; while<„^)(e) {Si}, mi(loop) [i/(ni)], ai)) A 
(si,mii(loop)i,'^ii))- 

• In any state in the executions (s2, m2) —>■ (s2, m2i (loop^^ 
the loop counter of S2 is less than or equal to I. 

By similar argument above. 

• The value stores cri^ and a2^ agree on values of the 
termination deciding variables in si and S2: Vx G 
TVar(s),crii(a;) = a2j^ix). 

We show that the imported variables in Si relative to 
those in LVar(s) are a subset of LVar(s) and the im¬ 
ported variables in Si relative to those in CVar(s) are 
a subset of CVar(s). 

LVar(si) 

= Uj>o Imp('S'i, LVar(Si) U Use(e)) ( 1 ) 
by the definition of loop variables. 


mi(Ioop)[l/(ni)], ai) and 
m2(loop)[l/(n2)], 0-2) respectively: 

Vfc > 0 , (Si,mi(Ioop)[l/(ni)],cri)) A 
(Sij,, mii^ (loopc^'", (Jii^ )) and 
(S2,m2(Ioop)[l/(n2)],cr2)) A 

(S2s,,m2iJloopc'\ (721J) in which Sifc 7^ skip, 52^ / 
skip. 

By our assumption of unique loop labels, si ^ Si. Then, 
Vfc > Ojloopc'^'' (ni) = Ioop)[l/(ni)](ni) = 1 . Similarly, 
Vfc > 0 , loopc”^*" (n2) 

= Ioop)[l/(n2)](n2) = 1 . In addition, by Lemma lE)^ 

Vfc > 0 , (Si;si,mi(Ioop)[l/(ni)],(Ji)) A 
{Sk; si,mi^{loopl>‘ ,ai^)) and 

(S2; S2, m2 (loop) [l/(n2)], ( 72 )) A (S2fc; S2, m2i, (loop)*”, (72 
in which Sii, 7^ skip, 82^. yf skip. 

In summary, loop counters of si and S2 are less than or 
equal to 1, and si and S2 do not terminate such that there are 
no configurations (si,mii) and (s2,m2i) reachable from 
(si,mi) and (s2,m2), respectively, in which crash flags 
are not set, the loop counters of si and S2 are equal to I and 
value stores agree on the values of variables in TVar(s). 

Induction Step. 

The induction hypothesis IH is that, for a positive integer i, one of 
the following holds: 

I. The loop counters for si and S2 are less than i, and si and S2 
both terminate in the same way: 

Vm'i m2 such that (si, mi) A (S'}, m) (loop) ))and(s2,m2) A 

( 52 ,m 2 (Ioop)')), 

loop) (ni) < i and loop) (712) < i and one of the following 


Imp(5i, LVar(s)) = Imp(5'i, LVar(si)) 

= Imp(5i,Imp(si,Use(e) ULVar(5'i))) 
by the definition of LVar(s) 

= Imp(5i,U7>oImp(5'{,LVar(5'i) UUse(e))) by (1) 

= Uj>oImp('S'i,Imp(S'),LVar(S'i) UUse(e))) 
by Lemma IC^ 

= Ui>o Imp(5'{, LVar(5'i) U Use(e)) by Lemma ICT] 

C Imp(S'{, LVar(S'i) U Use(e)) 

= Imp(si,LVar(S'i) UUse(e)) = LVar(si) = LVar(s). 
Similarly, Imp(S'i, CVar(s)) C CVar(s). Hence, 
Imp(5i,TVar(s)) C TVar(s). In the same way, we 
can show that Imp(S' 2 ,TVar(s)) C TVar(s). Con¬ 
sequently, the value stores ctii and (72i agree on the 
values of the imported variables in ^i and S 2 rela¬ 
tive to those in TVar(s), Va; G Imp(S'i,TVar(s)) U 
Imp(52,TVar(s)), (7i(a:,) = <J 2 (x). Because ^i and 
S 2 have equivalent computation of every variable in 
TVar(s) when started in states agreeing on the values 
of the imported variables relative to TVar(s), by The¬ 
orem [T] value stores crii and (72i agree on the values 
of the variables TVar(s), Vx G TVar(s), (7ii (a;) = 

(72i(a;). 

It follows that, by Corollarv lE.il 

(Si; while(„^) (e){Si}, mi(loop)[l/(m)], m)) A 

(while(„i)(e) {Si}, mij (loop)^, (rii)) = (si, mii (loop)\ (7i 

and 

(S 2 ; while<„ 2 )(e) {S 2 },m 2 (loop)[l/(n 2 )],( 72 )) A 
(while(„ 2 )(e) {S 2 }, m 2 i (loop)i, (72i)) = (s 2 , m 2 i (loop)i, (72 
(b) Si and S 2 do not terminate when started in states 


holds: 

(a) Si and S2 both terminate: 

(si,mi) —^ (skip,m'/) and (s2,m2) —>■ (skip,m20- 

(b) Si and S2 both do not terminate: 

Vfc > 0, (si,mi) A (Sii,,mii,) and (s2,m2) A- {S2k,m2^) 
in which Sij, 7^ skip, 82^ 7^ skip. 

2 . The loop counters for si and S2 are less than or equal to i, and 

Si and S2 do not terminate such that there are no configurations 
(si, mil) '^Sj) reachable from (si, mi) and (s2, m2), 

respectively, in which crash flags are not set, the loop counters 
of Si and S2 are equal to i and value stores agree on the values 
of variables in TVar(s): 

• Vm'im2 : (si,mi) A (Si,m'i(loop) )), (s2,m2) A 
(S2,m2(loop) )) where loop) (m) < i,loop) (712) < i; 

• Vfc > 0 : (si,mi) A (Sij,,mij,), (S2,m2)(S2fc,m2;,) 

where Si;, 7^ skip, 82^. 7^ skip; and 

• J(si,mii),(s2,m2i) : (si, mi) A (si, mi, (fi, loop)% cti, 
(S2,m2) A (s2,m2i(f2,loop)% (72;)) where 

■ fi = {2 = 0; and 

■ loop)*(ni) = loop)*(112) = V, and 

■ Va; G TVar(s) : cri.{x) = a2^{x). 

3 . There are two configurations (si, nii -) and (s2, 1x12^) reachable 
from (si, mi) and (s2, m2), respectively, in which crash flags 

)) are not set, the loop counters of si and S2 are equal to i 
and value stores agree on the values of variables in TVar(s) 
and, for every state in execution, (si,mi) A (si,mi.) or 
))• (s2, m2) A (s2, m2i) the loop counters for si and S2 are less 
than or equal to i respectively: 


32 


2015 / 9/14 


3 (si,miJ (S2,m2j : (si, mi) A (si, mi-(fi, loopJ% criJ)A 
{,82, m2) A (s2,m2j(f2,loop^%cr2j) where 

• fi = f2 = 0; and 

• loop),* (ni) = loop)* (112) = i; and 

• V® G TVar(s) : (Jl^ (x) = (72^ (x,; and 

• Vm'i : (si,mi) A (S'),m'l(loop) )) A (si,mij, 
loop) (ni) < i; and 

• Vm2 : (S2,m2) A (52,m2(loop) )) A (s2,m2j, 

loop) (112) < i; 

Then we show that, for the positive integer t + 1 , one of the 
following holds: 

1 . The loop counters for si and S2 are less than i + 1 , and si and 
82 both terminate in the same way: 

Vm'i m2 such that (si, mi) A ( 5 ), m) (loop) ))and(s2,m2) A 
(S2,m2(loop) )), 

loop) (m) < i + 1 and loop) (n2) < i + 1 and one of the 
following holds: 

(a) Si and 82 both terminate: 

(si,mi) A (skip, m'/) and (82, m2) A (skip, m^')- 

(b) Si and 82 both do not terminate: 

k k 

Vfc > 0 , (si,mi) ->• ( 5 i;,,mij,) and {82, m2) ->■ {S2k,m2^) 
in which Si^, ^ skip, 82^^ skip. 

2 . The loop counters for si and S2 are less than or equal to 
i + 1, and si and 82 do not terminate such that there are 
no configurations (si, mi^_,.i) and (s2, m2j_,_i) reachable from 
(si,mi) and {82, m2), respectively, in which crash flags are 
set, the loop counters of si and S2 are equal to i + 1 and value 
stores agree on the values of variables in TVar(s): 

• Vm'i m2 : (si,mi) A (Si, m'i(loop) )), (s2, m2) A 
(S2,m2(loop) )) where 

loop) (m) <i + l,loop) (112) < i + 1; 

• Vfc > 0 : (si,mi) A (Si;,,mij,), (S2,m2) A (S2i,,m2;,) 

where Si;, 7^ skip, 82^ 2^ skip; and 

• J(si,mi;^J, (S2,m2;+i) ; 

(si,mi) A (si,mi;^j(fi,loop)*+i,cri._;_J)A(s2,m2) A 

(s2, m2;+i (f2, loop)*+i, cr2;_,.i)) where 

■ fi = (2 = 0; and 

■ loop)*+* (ni) = loop)*+* (112) = i + 1; and 

■ Vx G TVar(s) : (x) = cr2;_;_; (x). 

3 . There are two configurations (si,mi;^j) and (s2,m2j+i) 
reachable from (si,mi) and {82, m2), respectively, in which 
the loop counters of si and 82 are equal to i + 1 and value 
stores agree on the values of variables in TVar(s) and, for every 
state in execution, (si,mi) A (si,mi;^j) or (82, m2) A 
(s2,m2j^i) the loop counters for si and 82 are less than or 
equal to i + 1 respectively: 

3 (si,mi,_;_J (S2,m2;+i ) : 

(si,mi) A (si,mi;^j(loop)*+i,ai.^j)) A {82, m2) A 
(s2,m2;+i(loop)*+\CT2i+i)) where 

• loop)*+* (m) = loop)*+* (712) = i + 1 ; and 

• Vx G TVar(s) : o-i;^j(x) = CT2i+i(x); and 

• Vm'i : (si,mi) A (S),m'i(loop) )) A (si,mij, 
loop) (ni) < i + 1; and 

• Vm2 : { 82 ,m 2 ) A (S2,m2(loop) )) A (s2,m2j, 

loop) (n2) < i + 1; 

By the hypothesis IH, one of the following holds: 


1 . The loop counters for si and S2 are less than i: 

Vm'i m2 such that (si, mi) A (S(, m'l (loop) ))and(s2,m2) A 
(S 2 ,m 2 (loop)')), 

loop) (ni) < i and loop) (712) < i and one of the following 
holds: 

(a) Si and S2 both terminate: 

(si,mi) —>■ (skip, m'l') and (82, m2) —>■ (skip,m2'). 

(b) Si and S2 both do not terminate: 

Vfc > 0, (si,mi) A (Si;,,mi;;,) and {82,m2) A {82k,m2^) 
in which 81^, 7^ skip, 82^. 7^ skip. 

When this case holds, then we have the loop counters for si and 
82 are less than i + 1, and si and S2 both terminate in the same 
way: 

Vm'i m2 such that (si, mi) A (S(, m'l (loop) ))and(s2,m2) A 
(S2,m2(loop)')), 

loop) (ni) < i + 1 and loop) (712) < i + 1 and one of the 
following holds: 

(a) Si and S2 both terminate: 

(si,mi) —>■ (skip, m'l') and (82, m2) —>■ (skip,m2'). 

(b) Si and S2 both do not terminate: 

Vfc > 0, (si,mi) ^ (Si;,,mi;;) and (82,m2) A {82^,m2^) 
in which Si;; 7^ skip, 82^. 7^ skip. 

2 . The loop counters for si and S2 are less than or equal to i, and 
Si and S2 both do not terminate such that there are no config¬ 
urations (si,mi;) and (s2,m2;) reachable from (si,mi) and 
(s2, m2), respectively, in which the loop counters of si and 82 
are equal to i and value stores agree on the values of variables 
in TVar(s): 

• Vm'i m2 : (si,mi) A (Si, m'i(loop) )), (s2, m2) A 
(S2,m2(loop) )) where loop) (ni) < t,loop) (112) < i; 

• Vfc > 0 : (si,mi) A (Si;,,mi;,), (S2,m2) A (S2fc,m2;,) 

where Si;, 7^ skip, 82^ 2^ skip; and 

J(si,miJ,(s2,m2i) : (si, mi) A (si, mi; (fi, loop)*, cti; 
{82,m2) A (S2,m2;(f2,loop)*,(72;)) where 

■ fi = (2 = 0; and 

■ loop)*(ni) = loop)*(n2) = i; and 

■ Vx G TVar(s) : (7i;(x) = (72; (x). 

When this case holds, we have the loop counter of si and 82 are 
less than i -I- 1 , and si and 82 both do not terminate: 

Vm'i m2 such that (si, mi) A (S(, m'i(loop) ))and(s2,m2) A 

(S2,m^(loop)')), 

loop) (ni) < i +1 and loop) (712) < i -I- 1 and si and S2 both 
do not terminate: 

Vfc > 0 , (si,mi) (Si;;,mi;,) and {82,m2) {82^,m2^) 

in which Si;, 7^ skip, 82^. 7^ skip. 

3 . There are two configurations (si,mi;) and (s2, m2;) reachable 
from (si, mi) and (s2, m2), respectively, in which crash flags 
are not set, the loop counters of si and 82 are equal to i 
and value stores agree on the values of variables in TVar(s) 
and, for every state in executions (si,mi) —>■ (si,mi;) and 
(s2, m2) A (s2, m2;) the loop counters for si and 82 are less 
than or equal to i respectively: 

3 (si,mi;) (S2,m2;) : (si,mi) A (si,mi;(fi,loop)*,(71;))A 
{82, m2) A (s2, m2; ((2, loop)*, (72;)) where 

• fi = (2 = 0; and 

• loop)*(ni) = loop)* (712) = i\ and 

• Vx G TVar(s), (7i;(x) = (72; (x); and 
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• Vm'i : (si,mi) A ( 55 ,mi(loopj )) A 
loopj (ni) < i\ and 

• Vmi : (S2,m2) A (S'i,mi(loop^ )) A (s2,m2j, 

loop^ (n2) < i. 

By similar argument in base case, evaluations of the predicate 
expression of si and si w.r.t value stores (ti . and produce 
same value. Then there are three possibilities: 

(a) £:'|e|cri^ =S'le}a2i = (error,*). 

Then the execution of si proceeds as follows. 

(si,mi,(fi,crij) 

= (while(„j)(e) {Si},mi.(fi,cri,)) 

—>'(while/„, \ ((error, *)) jS'il, mi. (fi, cri -)) by the EEvaT rule 
^(while|„:! ( 0 ) {Ai; mi, ( 1 /fi)) by the ECrash rule 
A(while^„,) ( 0 ) {S'!}, mi,(l/fi)), for any A: > 0 , by the Crash rule. 
Similarly, the execution of S2 started in the state m2, (0-2,) 
does not terminate. 

The loop counters for si and S2 are less than i + 1 : 

\lm\rri2 such that (si,mi) A (Si, mi (loop), )) and 

(S 2 ,m 2 ) A (Si,m 2 (loop) )), 

loop) (ni) < i + 1 and loop) (712) < i + 1 . 

Besides, si and $2 both do not terminate when started in 
states mi and m2, 

Vfc > 0 , (si,mi) (Si„, mi,.) and (s2,m2) ->■ (^2^, m2,,) 
in which Si,. 7^ skip, 82^. 7^ skip. 

(b) S'lelcTi, = £'le\( 72 i = ( 0 , Uof) 

The execution from (si, mi, (loop)*, ci,)) proceeds as fol¬ 
lows. 

(si,mi, (loop)%(Ti,)) 

= (while(„,)(e) {Si}, mi, (loop)S cri,)) 

—>-(while(„,)(( 0 , Vof)) {Si}, mi, (loop)% cri,)) by rule EEvaT 
-)-(while(„,)( 0 ) {Si},mi,(loop)S(Ti,)) 
by rule E-Oflowl or E-Oflow 2 
—^(skip, mi, (loop)* [ 0 /(ni)], ( 71 ,)) by the Wh-E 2 rule. 

By the hypothesis IH, the loop counter of si and S2 in any 
configuration in executions (si,mi) A (si, mi, (loop)*, (ti,)) 
and (S2,m2) A (s2,m2,(loop)S< 72 ,)) respectively are 
less than or equal to i, 

Vmi : (si,mi) A (Si,mi(loop) )) A (si, mi, (loop)% 

( 71 ,)), loop) (ni) < i; and 

Vmj : (S2,m2) A (Si,mi(loop) )) A (s2, m2, (loop)S 
( 72 ,)), loop) (712) < i. 

Therefore, si and S2 both terminate and the loop counter 
of Si and S2 in any state in executions respectively are less 
than i + 1. 

(c) S'|el|( 7 i, = S'|[e|( 72 , = {v,Vof) where u ^ { 0 , error}; 

The execution from (si, mi, (loop)*, ( 7 i,)) proceeds as fol¬ 
lows. 

(si,mi, (loop)%( 7 i,)) 

= (while(„,)(e) {Si}, mi, (loop)S ( 7 i,)) 

—>-(while(„,)((ii,iiof)) {Si},mi, (loop)\( 7 i,)) by rule EEvaT 
—>-(while(„,)((ii,iiof)) {Si},mi, (loop)%( 7 i,)) by rule EEvaT 
-)-(while(„,) (u) {Si}, mi, (loop)*, ( 7 i,)) 
by rule E-Oflowl or E-Oflow 2 
-)-(Si; while<„,)(e) {Si}, mi, (loop)* [(*-T l)/(ni)], 

( 71 ,)) by rule Wh-T. 

Similarly, (s2,m2, (loop)S (72,)) A (S2; while(„2> (e){'S'2}, 
m2, (loop)*[(i -T l)/(n 2 )],( 72 ,)^ 

By similar argument in base case, the executions of Si 
and S2 terminate in the same way when started in states 


mi, (loop)* [(i-|-l)/(ni)], (7i,) and m 2 , (loop)* [(i-Tl)/ ( 712 )], (72,) 
respectively. Then there are two possibilities. 

i. Si and S 2 terminate when started in states mi, (loop)* [(i-T 
l)/(ni)],(7i,) and 

m 2 , (loop)* [(i + l)/(n 2 )], (72,) respectively 
(Si;si,mi,(loop)*[(i-|- l)/(ni)], (7i,)) A 
(fi, loop)*+i, (71,.^,)) and 
(S 2 ;si,m 2 , (loop)*[(i-|- l)/(n 2 )l, (72,)) A 
(s 2 , m 2 ,.,., (f 2 , loop)*+^, (72,.,.,)) such that all of the fol¬ 
lowing holds: 

• fi = (2 = 0; and 

• loop)*+i (ni) = loop)*+i ( 712 ) = 7 -T 1; and 

• Vt/ G TVar(s), (71,+, (y) = ( 72 ,+, {y), and 

• in any state in the execution 

(si,mi,) A (si,mi,+,(loop)*+i,(7i,+,)), the 
loop counter of si is less than or equal to i -T 1. 

• in any state in the executions 

(S 2 ,m 2 ,) A (s2,m2,+,(loop)*+i,(72,+,)), the 
loop counter of S 2 is less than or equal to i -T 1. 

With the hypothesis IH, there are two configurations 
(si,mi,+,) and (s 2 ,m 2 ,+,) reachable from (si,mi) 
and (s 2 , m 2 ), respectively, in which crash flags are not 
set, the loop counters of si and S 2 are equal to i + 1 
and value stores agree on the values of TVar(s) and, for 
every state in executions (si,mi) A (si,mi,+,) and 

(s 2 ,m 2 ) —>■ (s 2 ,m 2 ,+,) the loop counters for si and 
S 2 are less than or equal to i -T 1 respectively: 

3(si,mi,+,) (S 2 ,m 2 ,+,) : 

(si,mi) A (si,mi,+,(fi,loop)*+i,(7i,+,))A(s2,m2) A 
(S2, m 2 ,+, (f 2 , loop)*+i, (72,+,)) where 

• fi = (2 = 0; and 

• loop)*+i (tii) = loop)*+i ( 712 ) = 7 -T 1; and 

• Vx G TVar(s), (7i,+, (x) = (72,+, (x); and 

• Vm'i : (si,mi) A (S') , m) (loop) )) A 
(si,mi,+,(loop)*+i,(7i,+,)), loop) (rii) < 7-|-1; 
and 

• Vm'2 : (S2,m2) A (S'2, m2(loop) )) A 
(s2,m2,+,(loop)’+l,(72,+,)), loop) ( 712 ) <7-1-1. 

ii. Si and S 2 do not terminate when started in states 

mi, (loop)* [(7 -I- l)/(ni)], (71,) and m 2 , (loop)* [(7 -T 
1 ) 7 ( 772 )],(72,) respectively: 

Vfc > 0, (S'!, mi, (loop)* [(7 -I- l)/(7ii)],(7i,)) A 

(Afc, mi,^ (loopc^**, (71,^ )) and 

(5'2,m2, (loop)4(7 -T 1)7(772)1,(72,)) A 

{S 21 ,, m 2 ,^ (loopc^**, ( 72 ,^ )) in which Si,, ^ skip, ^ 2 ^ 7 ^ 

skip. 

By our assumption of unique loop labels, si ^ Si. 

Then, VA: > 0, loopc^*" (tii) = 

loop)* [(7 + l)7(77i)](ni) = 7 + 1. Similarly, VA > 

0 , loopc^** (712) = 

loop)* [(7 + l)7(7i2)](772) = 7 + 1. In addition, by 
Lemma lE.2l 

Vfc > 0, (Si;si,mi,(loop)’[(7 + 1)7(77 i)],(7i,)) A 
(Si,,; Si, mi,^ (loopc^*^, (7i,^ )) and (S 2 ; S 2 , m 2 (loop) [( 7 + 

1)7(772)], (72)) A (S 2 fc;S 2 ,m 2 ,^ (loopc"^(72,^)) in 
which Si,. ^ skip, S 2 ,, / skip. 

In summary, the loop counter of si and S 2 are less than 
equal to 7 + 1, and si and S 2 do not terminate such that 
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there are no configurations (si, ) and (s2, ) 

reachable from (si,mi) and (s2,m2), respectively, in 
which crash flags are not set, the loop counters of si and 
S2 are equal to i + 1 and value stores agree on values of 
variables in TVar(s). 

□ 

Corollary 5.3. Let s\ = and 

S2 = “w/!! 7 e(„ 2 )(e){S'2}” be two while statements respectively, 
with the same set of the termination deciding variables, TVar(si) = 
TVar{s2) = TVar{s), whose bodies Si and S2 satisfy the proof 
rule of equivalently computation of variables in TVar(s), Va; € 
TVar{s) : (Si) =f (S2), and whose bodies Si and S2 terminate 
in the same way when started in states with crash flags not set and 
agreeing on values of variables in TVar{Si) U TVar{S2): 

(fSi ? ^Si ) 5 tTlS2 (f52 5 trs2 ) ■ 

(((Vz € TVar{Si)UTVar{S2)),(rsi{z) = (z))A(fsi = = 

0 )) ^ =H (S 2 ,ms 2 (fs 2 ,(js 2 ))- 

If Si and S2 start in the state mi (f 1, loop ],, ai) and m2 ((2, /oop^, 
, (T2) respectively in which crash flags are not set, fi = 
fa = 0 , si and S2 have not already executed, loop\{ni) = 
loop^{n2) ~ 0 , value stores ai and 02 agree on values of variables 
in TVar{s), \/x G TVar{s),ai{x) = 0-2(x), then si and S2 
terminate in the same way: 

1. Si and S2 both terminate, (si, mi) A (skip, m'l), (s2, m2) A 
(skip, m2). 

k 

2. Si and S2 both do not terminate, Vfc > 0 , (si,mi) 

k 

(Si^,mi^), (S2,m2) (S2fc,m2fc) where Si^, -f skip, 
S2k skip. 

This is from Lemma [ 5 . ISl immediatelv. 

Lemm j 5 . 16 l is necessary only for showing the same I/O se¬ 
quence in the next section. 

Lemma 5.16. Let si = “w/!! 7 e(„j)(e){Si}” and 
S2 = “w/!i 7 e(„ 2 ) (e){S2}” be two while statements in program 
Pi and P2 respectively with the same set of termination deciding 
variables, TVar(si) — TVar(s2) = TVar(s), whose bodies Si and 
S2 satisfy the proof rule of equivalently computation of variables 
in TVar(s), V® € TVar(s) \ Si =f S2 and whose bodies Si 
and S2 terminate in the same way in executions when started in 
states with crash flags not set and agreeing on values of variables 
in TVar(Si) U TVar(S2): 
ymsi (fsi, crsi) ms 2 (fSa ,0-32) : 

(((Vz € TVar(Si)UTVar(S2)),(rsi(z) = crsa(a))A(fsi = fs2 = 
0 ) 

^ (Si,msi(fsi,o-Si)) =H (S 2 ,ms 2 (fs 2 ,crs 2 ))- 

If Si and S2 start in the state mi (f 1, loop)., ai) and m2 (fa, loop), 
, (T2) respectively in which crash flags are not set, fi = fa = 0 , si 
and S2 have not already executed, loop)(ni) — loop)(n2) = 0 , 
value stores ai and era agree on values of variables in TVar(s), 
yx € TVar(s), (Ji(x) = crafx), one of the following holds: 

I. Si and S2 both terminate and the loop counters of si and sa 
are less than a positive integer i and less than or equal to i — 1: 
(si,mi) A (skip, m'l), (s2,m2) A (skip,m'2) where both of 
the following hold: 

• The loop counters of si and sa are less than a positive 
integer i: 

> OVm'i m'2 : 

(si,mi) A (S'i,m'i(loop) )), loop) (ni) < i and 
(sa.ma) A (S^.maf/oop^ )), loop) (na) < i. 

• yO < j < i, there are two configurations (si,mi^-) and 
(s2,m2-) reachable from (si,mi) and (s2,m2), respec¬ 


tively, in which both crash flags are not set, the loop coun¬ 
ters of Si and sa are equal to j and value stores agree on 
the values of variables in TVar(s), and for every state in ex¬ 
ecution (si,mi) A (si,mi^.) or (s2,m2) A (s2,m2j), 
the loop counters for si and sa are less than or equal to j 
respectively: 

3(si,mi^.) (sa.ma^.) : 

(si,mi) A (si,mi.(ji,loopfl ,ai.))A 
(S2,m2) A (s2,m2j(f2,loopfl ,a2,j)) where 

■ fi = fa = 0,- and 

■ loopfl (ni) — loopfl (na) = j: and 

*yx G TVar(s) : cri^. (a;) = aa^ (x); and 

■ Vm'i : (si,mi) A (S'i,m’i(loop) )) A (si,mi^), 
loop) (ni) < j; and 

■ ym'2 : (S 2 ,m 2 ) A (S'2,m2(loop) )) A (sa.maj), 

loop)) (n2) < j. 

k 

2 . Si and Sa both do not terminate, Vfc > 0, (si,mi) 

k 

(Si^,mi^), (sa.ma) (S2^,,m2^) where Sij, skip, 

Sa^, skip such that one of the following holds: 

(a) For any positive integer i, there are two configurations 
(si,mifl and (s2,m2-) reachable from (si,mi) and 
(s2,m2), respectively, in which both crash flags are not 
set, the loop counters of si and sa are equal to i and 
value stores agree on the values of variables in TVar(s), 
and for every state in execution (si, mi) A (si, mi.) or 
(sa, m2) A (sa, tzi2i), the loop counters for si and sa are 
less than or equal to i respectively: 

Vi > 03(si,miJ (s 2 ,m 2 j : 

(si,mi) A (si,mi^(fi,toopJS(JiJ)A 
(sa.ma) A (s2,m2i(f2,loop)\a2i)) where 

• fi = fa = 0,' and 

• loop)' (ni) = loop)' (na) = i; and 

• yx G TVar(s) : cri. (a;) = era, (a:); and 

• Vm'i : (si,mi) A (S'i,m'i(loop) )) A (si,mij, 
loop) (ni) < i; and 

• ym'2 : (sa.ma) A (S'2, m'2(Ioop) )) A (sa.maj, 
loop) (na) < i; 

(b) The loop counters for si and sa are less than a positive 
integer i and less than or equal to i — 1 such that all of the 
following hold: 

• 3i > 0, Vm'i m 2 : (si,mi) A (Si,m'i(loop) )), 
(sa.ma) A (S2,m'2(loop) )) where loop) (ni) < i, 
loop) (na) < i; 

• VO < j < i, there are two configurations (si,mi^. ) 
and (s2,m2^ ) reachable from (si,mi) and (s2,m2), 
respectively, in which both crash flags are not set, the 
loop counters of si and sa are equal to j and value 
stores agree on the values of variables in TVar(s), and 
for every state in execution (si,mi) A (si,mi.) or 

(sa, m2) A (sa, ma^ ), the loop counters for si and sa 
are less than or equal to j respectively: 

3(si,miJ (S 2 ,m 2 ^ ) : 

(si,mi) A (si,mi-Cfi,loopfl ,ai.))A 
(sa.ma) A (s2,m2.(‘f2,loopfl ,(^2^)) where 

■ fi = fa = 0,- and 

■ loop)'’ (til) = loop)'’ (na) = j; and 
•yx G TVar(s) : ai^ (x) = a2j (x); and 
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■ Vm'i : {si,mi) A- {S[,m[{loopl')) A- 
loop\ (ni) < j; and 

■ Vm2 : {S2,m2) A {S2,m2{loopl')) A {S2,m2j), 

loopl {712) < j; 

(c) The loop counters for si and S2 are less than or equal to 
some positive integer i such that all of the following hold: 

• 3i > 0Vm'im2 : A {Si,m'i{loopl )), 

(S2,m2) A {S2,m2{loop1 )) where loop], (ni) < i, 
loop] {712) < i; 

• VO < J < i, there are two configurations (si , mi^) 
and (s2,m2j) reachable from (si,mi) and {32,7712), 
respectively, in which both crash flags are not set, the 
loop counters of si and S2 are equal to j and value 
stores agree on the values of variables in TVar{s), and 
for every state in execution (si,mi) A (si,mi^) or 
(s2, m2) A (s2, m2j), the loop counters for si and S2 
are less than or equal to j respectively: 

3 (si, mi^) (s 2 , m 2 j.) : 

(si,mi) A (si,mi^.(fi,/oopc^crij))A 
* 2 • 

(S2, m2) ->■ (S2, m2j {{2, loop f , 02j )) where 
‘ U = h = 0 ; and 

■ loopf (ni) = loopf {712) = j; and 

■ V* £ TVar{s) : oi- (x) = < 72 ^ (x); and 

■ Vm'i : (si,mi) A {S[,m]{loop] )) A (si,mi^), 
loop] (m) < j; and 

■ Vm2 : (S2,m2) A {S2,m2{loop] )) A (s2,m2j), 

loop]'{712) < j; 

• There are no configurations {s\,m\^) and (s2,m2j) 
reachable from (si,mi) and (s2,m2), respectively, in 
which crash flags are not set, the loop counters of S\ and 
32 are equal to i, and value stores agree on the values of 
variables in TVar{3): 

${si,mif) (S 2 ,m 2 j : 

(si,mi) A (si,mi.(fi,/oopJScriJ)A 
(S2,m2) A {S2,m2i{f2,loop]\02i)) where 
* fi = {2 ~ 0 ; and 

■ loop]'{n\) = loop]^ { 712 ) = i; and 

■ Va; £ TVar{3) : oi^ (x) = 02^ (x). 

Proof. From lemma BTTS] we have si and 32 terminate in the same 
way when started in states mi and m2 respectively. Then there are 
two big cases. 

1 . Si and 32 both terminate. 

Let i be the smallest integer such that the loop counters of si 
and S2 are less than i in the executions. Then there are two 
possibilities. 

(a) i = 1. 

In the proof of Lemma 15.151 the evaluation of the loop 
predicate of si and 32 produce zero w.r.t value stores, oi 
and 02- Then the execution of si proceeds as follows: 

(si,mi(loop),,(Ji)) 

= (while(„^)(e) {A}, mi (loop),)) 

— >-(while(„j)(( 0 , Vof)) {Si}, mi (loop))) by rule EEvaT 
-)-(while<„j)( 0 ) {Si}, mi (loop))) 
by rule E-Oflowl or E-Oflow 2 
-s-(skip, mi (loop) \ {(ni,*)})) 
by rule Wh-Fl or Wh-F 2 . 


Similarly, (s2, m2 (loop), 0-2)) A (skip, m2 (loop) \ {{712, 

, *)})). Then the lemma holds because of the initial config¬ 
uration (si, mi(loop), (Ti)) and (s2, m2(loop), (T2)). 

(b) i > 1. 

Because si and S2 terminate, i is the smallest positive in¬ 
teger such that the loop counters of si and 32 are less than 
i, by Lemma [ 5.151 VO < j < i, there are two configu¬ 
rations (si,mi^) and (s2,m2j) reachable from (si,mi) 
and {32, m2), respectively, in which both crash flags are 
not set, the loop counters of si and S2 are equal to j and 
value stores agree on the values of variables in TVar(s), 
and for every state in execution, (si, mi) A (si, m\^) or 

(s2, m2) A (s2, m2j) the loop counters for si and 32 are 
less than or equal to j respectively. With the initial configu¬ 
ration (si, mi) and (s2, m2), the lemma holds. 

2 . Si and 32 both do not terminate. There are three possibilities. 

(a) Vi > 0 , there are two configurations (si, mi-) and (s2, m2i) 
reachable from (si,mi) and (s2,m2), respectively, in 
which both crash flags are not set, the loop counters of 
Si and S2 are equal to i and value stores agree on the values 
of variables in TVar(s), and for every state in execution, 
(si,mi) A (si, mij or (s2, m2) A (s2, m2j) the loop 
counters for si and 32 are less than or equal to i respectively. 

(b) The loop counters of si and 32 are less than a positive 
integer i. 

Let i be the smallest positive integer such that there is no 
positive integer j < i that the loop counters of si and S2 are 
less than the positive integer j. This case occurs when si 
and 32 finish the full {i — l)th iterations and both executions 
raise an exception in the evaluation of the loop predicate of 
Si and 32 for the ith time. There are further two possibilities. 

i. i = 1. 

In proof of Lemma 15.151 evaluations of the predicate 
expression of si and S2 raise an exception w.r.t value 
stores (Ji and 02- The lemma holds. 

ii. i > 1 . By the assumption of initial states (si,mi) 
and {32, m2), when j — 0, initial states (si,mi) and 
(s2,m2) have crash flags not set, the loop counters of 

51 and 32 are zero and value stores agree on values of 
variables of si and S2. 

By Lemma [ 5 .151 VO < j < i, there are two configura¬ 
tions (si,mi^.) and (s2,m2^) reachable from (si,mi) 
and (s2, m2), respectively, in which both crash flags are 
not set, the loop counters of si and 32 are equal to j and 
value stores agree on the values of variables in TVar(s), 
and for every state in execution, (si,mi) A (si,mi^) 

or (s2, m2) A (s2, m2j) the loop counters for si and 

52 are less than or equal to j respectively. With the initial 
configuration (si, mi) and (s2, m2), the lemma holds. 

(c) The loop counters of si and S2 are less than or equal to a 
positive integer i. 

Let i be the smallest positive integer such that the loop 
counters of si and 32 are less than or equal to the positive 
integer i. There are two possibilities, 
i. i = 1. 

In the proof of Lemma 15.151 the execution of si pro¬ 
ceeds as follows: 

(si, mi(loop), (Ti)) 

= (while(„^)(e) {Si}, mi (loop), ai)) 
->-(while^„j)((ii,nof)) {Si}, mi(loop), cri)) where n 7^ 0 
by rule EEval’ 

->-(while<„j) (n) {Si}, mi(loop), cri)) 
by rule E-Oflowl or E-Oflow 2 
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-S'(S'i; while(„^)(e) {^i}, mi(loopi[l/(ni)], ai)) 
by rule Wh-T . 

The execution of S2 proceeds to 
( 52 ; while(„2)(e) {52}, m2(loop^[l/(n2)], 0-2)). In 
addition, executions of 5 i and S2 do not terminate when 
started in states mi(loopJ[l/(ni)], cri) and 
m2(loop^[1/(712)], 0-2)■ By Lemma [Ej^ executions of 
Si and S2 do not terminate, 
ii. i > 1 . 

In the proof of Lemma ( 5. 151 when started in the state 
(si,mi^_j(fi,Ioop];‘“i,ai._j)) the execution of si 
proceeds as follows; 

(si, mi,_i (fi, loop/’-i, 0-1,_J) 

= (while(„^)(e) { 5 i}, mi,_i(fi,loopJ‘-\)) 
-s-(while<„,^) ((v, Vaf)) { 5 i}, mi,_^ (fi, loop/"-i, (Ti,_ J) 
by rule EEval’ 

-s-(while(„^) (v) { 5 i},mi._i(fi,loop]:‘-i, cri._^)) 
by rule E-Ofiowl or E-Oflow 2 
- 7 -( 5 i; while(„^)(e) { 5 i}, 

(fi, loopi>-i [i/( 7 ii)], cri,_ J) 

by rule Wh-Tl or Wh-T 2 . 

The execution of S2 proceeds to ( 52 ; while^^^) (s) { 52 }, 
tt^ 2 i_i(f 2 ,loop^*-i[i/( 7 i 2 )],o' 2 i_i)). In addition, exe¬ 
cutions of 5 i and S2 do not terminate when started in 
states mi._j (fi, Ioop];‘“i [*/(’^i)]i 
«^ 2 i_i(f 2 ,Ioop^*-i[i/( 7 i 2 )],o- 2 i_i). By Lemma lE( 2 l 
executions of si and S2 do not terminate. 

□ 

5.4 Behavioral equivalence 

We now propose a proof rule under which two programs produce 
the same output sequence, namely the same I/O sequence till any 
ith output value. We care about the I/O sequence due to the possible 
crash from the lack of input. We start hy giving the definition of the 
same output sequence, then we describe the proof rule under which 
two programs produce the same output sequence, finally we show 
that our proof rule ensures same output together with the necessary 
auxiliary lemmas. We use the notation “Out(o')” to represent the 
output sequence in value store a, the I/O sequence a{idio) till the 
rightmost output value. Particularly, when there is no output value 
in the I/O sequence a(idio), Out((j) = 0 . 

Definition 20. (Same output sequence) Two statement sequences 
5 i and S2 produce the same output sequence when started in 
states mi and m2 respectively, written ( 5 i, mi) =0 (S2, m2), iff 
Vm'i m2 such that {Si, mi) A- ( 5 }, m'i(o'()) and ( 52 , m2) A 
( 52 , m2((T2)), there are states m" m2 reachable from initial 
states mi and m2, {Si, mi) A ( 5 /, m'i'(o-(')) and ( 52 , m2) A 
{S2 ,m2{a2)) so that Out{a2) — Out{a[) and Out{ai) — Out{a2). 

5.4.1 Proof rule for behavioral equivalence 

We show the proof rules of the behavioral equivalence. The out¬ 
put sequence produced in executions of a statement sequence 5 
depends on values of a set of variables in the program, the output 
deciding variables OVar( 5 ). The output deciding variables are of 
two parts: TVaro( 5 ) are variables affecting the termination of ex¬ 
ecutions of a statement sequence; Imp^( 5 ) are variables affecting 
values of the I/O sequence produced in executions of a statement 
sequence. The definitions of TVaro( 5 ) and Imp^( 5 ) are shown in 
Definition I2T] and [22] 

Defiuitiou 21. (Imported variables relative to output) The im¬ 
ported variables in one program 5 relative to output, written 2. 

Imp^{S), are listed as follows: 


1 . Imp^{S) = {idio}, if{ye ■ output d' ^ 5 ); 

2 . Imp ^{“output e’^) = {idjo} U Use{e); 

3 . Imp^l^Tf {e) then { 5 t} else { 5 /}”) = Use{e) U Imp^{St) U 
ImpJ^Sf) if { 3 e : output e" G 5 ); 

4 . lmpX“while(ri){e){S"Y') = Imp{“while(n){e){S"Y\{idio}) 
ifl^e : “output e” € S''); 

5 . Fork > 0 , /mp^(si; ...; Sj,; Sfc+i) = Imp{si- ...; Sk,Imp^{sk+i)) 
if{Je : “output d' € Si,+i); 

6. Fork > 0, Imp^{si; ...■,Sk;Sk+i) = Imp^{si-, Sk) if (fie : 
“output e" ^ Sfe+i); 

Defiuitiou 22. (Termiuatiou decidiug variables relative to out¬ 
put) The termination deciding variables in a statement sequence 5 
relative to output, written TVaro{S), are listed as follows: 

1 . TVaro{S) — 0 if{ie : “output e” ^ S); 

2 . TVaro{“output e") = Err{e): 

3 . TVaro{“If {e) then { 5 t} else { 5 /}”) = Use{e) U TVaro{St) U 
TVaro{Sf) if{^e : “output d' G S); 

4 . T'Varo{“while^n){e){S"Y') = TVar{“while(^W){e){S"Y’) if 

( 3 e : “output e” G S"); 

5 . Fork > 0 , TVaro{si- ...; Sk’, Sk+i) = TVar{si\ ...; Sk) 
yjImp{si\...-,Sk,TVaro{sk+i))if {^e : “output e” £ Sk+i); 

6 . For k > 0 , TVaro{si-...-Sk-,Sk+i) = TVaro{si\ su) if 
(Ve : “output d' ^ Sfc+i); 

Defiuitiou 23. (Output decidiug variables) The output deciding 
variables in a statement sequence 5 are Imp^{S) U TVaro{S), 
written OVar{S). 

The condition of the behavioral equivalence is defined recur¬ 
sively. The base case is for two same output statements or two 
statements where the output sequence variable is not defined. The 
inductive cases are syntax directed considering the syntax of com¬ 
pound statements and statement sequences. 

Defiuitiou 24. (proof rule of behavioral equivaleuce) Two state¬ 
ment sequences Si and S2 satisfy the proof rule of behavioral 
equivalence, written Si =0 S2, iff one of the following holds: 

1 . Si and S2 are one statement and one of the following holds: 

(a) Si and S2 are simple statement and one of the following 
holds: 

i. Si and S2 are not output statement, Vei 62 : 

{“output ei’ 7/ 5 i) A {“output ef' -f S2); or 
a. Si = S2 = “output e”. 

(b) Si = “If {d) then { 5 }} else { 5 /}”, 52 = “If {e) then {52} else 
{ 5 |}” and all of the following hold: 

• There is an output statement in Si and S2, 

3 ei 62 : {“output Cl” G 5 i) A {“output ef' G 52); 

• ( 5 i =0 E2) A (5/ =0 S2); 

(c) Si = “while(^rii){e) { 5 /}” and S2 = “whilei^n,^){e) {52}” 
and all of the following hold: 

• There is an output statement in Si and S2, 

36162 : {“output ei" G 5 i) A {“output ef' G 52); 

^ O" _ S Qff . 

• *51 =0 ^2 t 

• 5” and S'2 have equivalent computation of OVar{Si) U 
OVar{S2); 

• S'l and S'2 satisfy the proof rule of termination in the 
same way, S'{ =% S'f; 

(d) Output statements are not in both Si and S2, 

V61 62 : {“output ei’ ^ 5 i) A {“output €2” ^ 52). 

5 i and S2 are not both one statement and one of the following 
holds: 
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(a) Si = S[; Si and S2 = 5 ^; S2. and all of the following hold: 

• S'2: 

• S'l and S2 have equivalent computation of OVar(si ) U 
0 Var{s2); 

• S'l and S'2 satisfy the proof rule of termination in the 
same way: S'l =% S'2; 

• There is an output statement in both Si and S2, 

3 ei 62 : {''output ei' G si) A {"output ef’ £ S2); 

• Si =0 S2; 

(b) There is no output statement in the last statement in Si or 
S2: 

((Si = S(; si) A (S( =0 S2) A (Ve : "output e” ^ si)) 
v((S2 = S2 ;s2)A(Si =0 S2)A(Ve ; "output e'’ ^ S2)); 

5.4.2 Soundness of the proof rule for behavioral equivalence 

We show that two statement sequences satisfy the proof rule of the 
behavioral equivalence and their initial states agree on values of 
their output deciding variables, then the two statement sequences 
produce the same output sequence when started in their initial 
states. 

Theorem 5. Two statement sequences Si and S2 satisfy the proof 
rule of the behavioral equivalence, Si =0 S2. If Si and S2 start in 
states mi(fi, (Ji) and m2{f2, (72) where both of the following hold: 

• Crash flags are not set, fi = f2 = 0; 

• Value stores ai and 02 agree on values of the output decid¬ 
ing variables of Si and S2, Vid £ OVar{Si) U OVar{S2) : 
ai{id) — (72 (id); 

then Si and S2 produce the same output sequence, 

(Si,mi) =0 (S2,m2). 

The proof is by induction on the sum of program size of Si and 
S2, size(Si) + size(S2) and is a case analysis based on Si =q S2. 

Proof. The proof is by induction on the sum of program size of 
Si and S2, size(Si) + size(S2) and is a case analysis based on 
Sl=gS2. 

Base case. 

Si and S2 are simple statement. There are two cases according 
to the proof rule of behavioral equivalence because stacks are not 
changed in executions of Si and S2. 

1. Si and S2 are not output statement, Vei 62 : (“output ei” ^ 
Si) A (“output 62” yf S2); 

By the definition of imported variables relative to output, 
Imp^(Si) = Imp^(S2) = {idio}. By assumption, initial value 
stores (71 and 02 agree on the value of the I/O sequence variable, 
ai{idio) = O2{ idio). By definition, 0ut((7i) = Out(CT2). 

By Lemma B .231 in any state m) reachable from mi, the output 
sequence in m'l is same as that in mi, Vm'i : ((Si, mi((7i)) A 
(S),m'i((7)))) (Out((7)) = 0ut((7i)). Similarly, for any 

state m'2 reachable from m2, the output sequence in m'2 is 
same as that in m2. The theorem holds. 

2. Si — S2 = “output e”. 

We show that the expression e evaluates to the same value w.r.t 
value stores, cri, (72. By the definition of imported variables rel¬ 
ative to output, Imp^(Si) = Imp^(S2) = Use(e) U {idio}- 
Then Va; £ Use(e) U {idio} ■ (ri{x) — a2{x) by assump¬ 
tion. By Lemma lb.il SJeJcri = S|[e]a2. Then, there are two 
possibilities. 

(a) S|[e]( 7 i = S|e |(72 = (error,Uof). 

The execution of Si proceeds as follows. 

(output e, mi(( 7 i)) 

= (output (error, Vof), mi{ai)) by the rule EEval’ 


—^■(output 0, mi(l/f)) by the ECrash rule 
A(output 0, mi(l/f)) for any / > 0 by the Crash rule. 
Similarly, the execution of S2 does not terminate and 
there is no change to I/O sequence in execution. Because 
oi{idio) = o-2{idio), then the output sequence in value 
stores (71 and 02 are same, Out((7i) = 0ut((72), the theo¬ 
rem holds. 

(b) S|Ie]CTi = S|e|(72 yf (error,Uof) 

Si and S2 satisfy the proof rule of equivalent computation 
of EO sequence variable and their initial states agree on the 
values of the imported variables relative to I/O sequence 
variable. By Theorem|2l Si and S2 produce the same output 
sequence after terminating execution when started in state 
mi(ai) and m2 ((72) respectively. The theorem holds. 

Induction step. 

The hypothesis IH is that Theorem [3 holds when size(Si) -I- 
size(S2) = k>2. 

We show Theorem|5]holds when size(Si) -I- size(S2) = fe -I- 1. 
The proof is a case analysis according to the cases in the definition 
of the proof rule of behavioral equivalence. 

1. Si and S2 are one statement and one of the following holds: 

(a) Si = “If(e) then {S(} else {S/}” and S2 = “If(e) then 
{S2} else {Sj }” and all of the following hold: 

• There is an output statement in Si and S2: 3ei 62 : 
(“output 61 ” £ Si) A (“output 62” £ S2); 

^ Cft _ S Qt . 

• =0 *^25 

• s( =$si- 

By Lemma [5.171 {idio} £ IntPo(‘S'i). By assumption, 
value stores ai and 02 agree on the value of the I/O se¬ 
quence variable and the I/O sequence variable, ai{idio) = 
ct2{idio)- 

We show that the evaluations of the predicate expression of 
Si and S2 w.r.t. initial value store ai and 02 produce the 
same value. We need to show that value stores ai and 02 
agree on values of variables used in the predicate expression 
6 of Si and S2. Because the output sequence is defined 
in Si, by the definition of imported variables relative to 
output, Imp^(Si) = Use(6) Ulmp^(S()Ulmp^(S/). Thus, 
Use(e) C OVar(Si). By assumption, value stores ai and 02 
agree on values of variables used in the predicate expression 
6 of Si and S2, Va; £ Use(e) : ai(a;) = a2{x). By 
Lemma lb.il the evaluations of the predicate expression of 
Si and S2 w.r.t. pairs value stores, cri and 02 generate 
the same value, S'|[6]ai = S'|e|(72. Then there are two 
possibilities. 

i. S'|e|(7i = S'|e|(72 = (error,-u„f). 

Then the execution of Si proceeds as follows: 

(If(6) then {S(} else {S/}, mi(CTi)) 

—>■ (If((error, Uof)) then {S(} else {S/}, mi((7i)) 
by the EEval’ rule 

—>■(11(0) then {S(} else {S/},mi(l/f)) 
by the ECrash rule 

A(lf(0) then {S(} else {S(},mi(l/f)) 
for any i > 0, by the Crash rule. 

Similarly, the execution of S2 does not terminate and 
does not redefine EO sequence. Because ai{idio) = 
O2{idio), the theorem holds. 

ii. S'|e|(7i = S'|e|(72 / (error, Wof). 

W.l.o.g., S'KcJcti = S'{6]ct2 = ( 0, Uof). The execution 
of Si proceeds as follows. 
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(If(e) then {S'J} else {S'/}, mi(ai)) 

->-(If(( 0 , Wof)) then {S{} else (S/j, mi(cri)) 
by the EEval rule 

—^(If( 0 ) then {S}} else {S/j,mi(cri)) 
by the E-Oflowl or E-Oflow 2 rule 
—>-(5/, mi(ai)) by the If-E rule. 

Similarly, the execution of S2 proceeds to (S/, m2(o'2)) 
after two steps. By the hypothesis IH, we show that S( 
and S/ produce the same output sequence when started 
in states mi(ai) and 7112(0-2). We need to show that all 
required conditions are satisfied. 

• size(S/) + size(S/) < k. 

By definition, size(Si) = 1 + size(Si) + size(S/). 
Therefore, size(S/) + size (S/) < k. 

• Value stores ai and 0-2 agree on values of the out- 
deciding variables of S( and S/, Vx G OVar(S/) U 
OVar(S|) : o-i(a;) = 0-2(0:). 

By the definition of imported variables relative to 
output, Imp^(S/) C Imp^(Si). Besides, by the 
definition of TVaro(S'i), TVaro(S'/) C TVaro(S'i). 
ThenOVar(S'/) C OVar(S'i). Similarly, OVar(S/) C 
OVar(S'2).By assumption, the value stores 0-1 and 0-2 
agree on the values of the out-deciding variables of 
S( and S'/. 

By the hypothesis IH, S( and S/ produce the same 
output sequence when started from state mi(ai) and 
7112(0-2) respectively. The theorem holds. 

Si = “while(„j)(e) {Si}” andS2 = “while^^^)(e) {S2}” 
and all of the following hold: 

• There is an output statement in Si and S2: 3 ei 62 : 
(“output ei” G Si) A (“output 62” G S2); 

^ o// _ S Qff. 

• ‘^1 =0 *^2 5 

• Both loop bodies satisfy the proof rule of termination in 
the same way: S" =§ S2 ; 

• S” and S2 have equivalent computation of OVar(Si) U 
OVar(S2); 

By Corollarv IS.SI we show that Si and S2 produce the same 
output sequence when started in states mi (0-1) and m2 (0-2) 
respectively. We need to show that the required conditions 
are satisfied. 

• Crash flags are not set, fi = {2 = 0 . 

• Value stores cri and <72 agree on the values of the out- 
deciding variables of Si and S2, Va; G OVar(Si) U 
OVar(S2) : cri(a;) = 0-2(0;). 

• The loop counter value of Si and S2 are zero in initial 
loop counter, loop/(ni) = loop^( 7 i 2 ) = 0 . 

• The loop body of Si and S2 satisfy the proof rule of 
termination in the same way, S” S2^ 

• The loop body of Si and S2 satisfy the proof rule of 
equivalent computation of OVar(Si) U OVar(S2). 

The above five conditions are from assumption. 

• Si and S2 have same set of termination deciding vari¬ 
ables, TVar(Si) = TVar(S2). 

By the definition of TVaro(Si), TVaro(Si) = TVar(Si) 
andTVaro(S2) = TVarlS^i. BvLemma l 5 . 21 l TVar„fSi i = 
TVaro(S2). Thus, TVar(Si) = TVar(S2). 

• Si and S2 have same set of imported variables relative 
to the I/O sequence variable, 

Imp(Si, {id/o}) = Imp(S2, {idio})- 


By Lemma 15.191 Imp^(Si) = Imp^(S2). By defini¬ 
tion, Imp^ (Si) = Imp(Si, {id/o}) and Imp^(S2) = 
Imp(S2, {idio})- Thus, Imp(Si, {idjo}) = Imp(S2, {idio})- 

• The loop body of Si and S2 produce the same output se¬ 
quence when started in states with crash flags not set and 
whose value stores agree on values of the out-deciding 
variables of S” and S2, Vm^// (f/, a") rugn (j'^, <72) : 

((Vx G OVar(S{') U OVar(S^') : = o-i'(x)) A 

(f'l' = f2 = 0)) ^ (S{',ms;.(f'i',<7;')) =0 

Because size(Si) = 1 - 1 - size(S”), size(S2) = 1 + 
size(S20. then size(S”) -I- size(S20 < By the hy¬ 
pothesis IH, the condition is satisfied. 

By Corollarv IS.SI Si and S2 produce the same output se¬ 
quence when started in states mi((7i) and m2 (0-2) respec¬ 
tively. The theorem holds. 

(c) Output statements are not in both Si and S2, Vei 62 : 
(“output ei ” ^ S i) A (“output 62” ^ S2). 

By Lemma [5.171 {idjo} C Imp^(Si). By assumption, 
value stores in initial states mi, m2 agree on values of 
the EO sequence variable, (T\(idio) = o-2{idio)- By 
Lemma Is.231 the value of output sequence is same in mi 
and any state reachable from mi, Vm} m^ : (Si, mi (cti ))—>■ 
(S{,m'i((7{)) and (S2,m2((72)) A (S2, m2((72)), Out(cr{) = 
Out((7i) = Out((72) = Out((72). The theorem holds. 

2. Si = Si; Si and S2 = S2; S2 are not both one statement and 
one of the following holds: 

(a) There is an output statement in both si and S2, 3ei 62 : 
(“output ei” G si) A (“output 62” G S2), and all of the 
following hold: 

• Si =^o S'2; 

• Si and S2 satisfy the proof rule of termination in the 
same way: S{ =% Si', 

• S} and Si have equivalent computation of OVar(si) U 
OVar(s2); 

• Si =0 S2; 

By the hypothesis IH, we show S} and Si produce the same 
output sequence when started in states mi(ai) and m2(0-2) 
respectively. We need to show that all required conditions 
are satisfied. 

• size(S{) -I- size(S2) < k. 

By the definition of program size, size(si) > l,size(s2) > 

1 . Then size(Si) -I- size(S2) < k. 

• Value stores cri and <72 agree on values of the out- 
deciding variables of S} and Si, Vx G OVar(Si) U 
OVar(S 2 ) : (yi{x) = <72(2;). 

We show that TVaro(Si) C TVaro(Si). 

TVar„(S{) 

C TVar(Si) by Lemma [5.20l 
C TVaro (Si) by the definition of TVaro (Si) 

We show that Imp^(S{) C Imp^(Si). 

Imp„(S{) ^^ 

C Imp(S{, {idio}) (1) by Lemma IsTs] 

{idio} C Imp^(sfe+i) (2) by Lemma I sTt] 

Combining (1) -1- (2) 

Imp(S{, {id/o}) 

C Imp(S{, Imp^(si)) by Lemma|C2] 

= Imp^(Si) by the definition of Imp^(S). 
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Similarly, 0 Var(S' 2 ) C 0 Var(S' 2 ). By assumption, value 
stores ai and (J2 agree on values of out-deciding vari¬ 
ables of S'l and 

By the hypothesis IH, S'l and S2 produce the same output 
sequence when started in state mi((Ti) and m2 (0-2) respec¬ 
tively. 

We show that Si and S2 produce the same output sequence 
if Si and S2 execute. We need to show that SJ and S2 ter¬ 
minate in the same way when started in states mi(ai) and 
'm2{o'2) respectively. Specifically, we prove that the value 
stores (Ti and (T2 agree on the values of termination deciding 
variables of S[ and S2. By definition, the termination decid¬ 
ing variables in S'l are a subset of the termination deciding 
variables relative to output, TVar(Si) C TVaro(Si). Sim¬ 
ilarly, TVar(S2) C TVaro(S2). By assumption, the value 
stores (Ti and (T2 agree on the values of the termination de¬ 
ciding variables of Sj andS2,Va: G TVar(Sj)UTVar(S2) : 

= (72(x). By Theorem| 4 l Si and S2 terminate in the 
same way when started in state mi (ai ) and m2 (0-2) respec¬ 
tively. 

If Si and S2 terminate when started in states mi(cri) and 
m2((T2), by Lemma l 5 . 14 l S[ and S2 consume same amount 
of input values. In addition, we show that value stores agree 
on values of the out-deciding variables of si and S2 by 
Theoreml^ We need to show that S'l and S2 start execution 
in states agreeing on values of the imported variables in S'l 
and S2 relative to the out-deciding variables of si and S2- 

• Imp(TVaro(si), Si) C TVaro(Si). 

This is by the definition of TVaro(Si). 

• Imp(Imp„(si), Si) = Imp„(Si). 

This is by the definition of Imp^ (S'l). 

Thus, the imported variables in Sl relative to the out- 
deciding variables of si are a subset of the out-deciding 
variables of Si, Imp(Sl,OVar(si)) C OVar(Si). Simi¬ 
larly, Imp(Sl,OVar(s2)) C OVar(S2). By Corollary | 5.41 
Sl and S2 have same out-deciding variables, OVar(si) = 
OVar(s2). By assumption, Sl and Sl terminate when 
started in states mi(ai) and 7712(0-2), (S), mi(oi)) —>■ 
(skip,m'i((Tl)), (Sl,mi((T2)) A (skip, mKcrl)). By The¬ 
orem |2l value stores o( and crl agree on values of the out- 
deciding variables of si and S2- 

By the hypothesis IH again, si and S2 produce the same 
output sequence when started in states m)(o() and rnKfrl) 
respectively. The theorem holds. 

(b) There is no output statement in the last statement in Si or 
S2: W.l.o.g., (Ve : “output e” ^ Si) A ((Sl) =0 (S2)). 
By the hypothesis IH, we show that Sl and S2 produce the 
same output sequence when started in states mi(oi) and 
7712(02) respectively. We need to show that two required 
conditions are satisfied. 

• size(Sl) -I- size(S2) < k. 

size(si) > 1 by definition. Then size(Sl) -|- size(S2) < 
k. 

• Va; G OVar(Sl) UOVar(S2) : cri(a;) = 0-2(3;). 

By definition of TVaro(S)/Imp^(S), TVaro(Sl) = 
TVaro(Si), and Imp^(Sl) = Imp^(Si) Hence, Vi G 
OVar(Sl) UOVar(S2) : o-i(a:) = 02(x). 

Therefore, Sl and S2 produce the same output sequence 
when started in state mi(o-i) and 7712(02) respectively, 
(Sl, mi) =0 (S2, m2) by the hypothesis IH. 

When the execution of Sl terminates, then the output se¬ 
quence is not changed in the execution of si by Lemma l 5 . 23 l 
The theorem holds. 


□ 

5.4.3 Supporting lemmas for the soundness proof of 
behavioral equivalence 

We listed the lemmas and corollaries used in the proof of Theo- 
rem[ 5 ]below. The supporting lemmas are of two parts. One part is 
various properties related to the out-deciding variables. The other 
part is the proof that two loop statements produce the same output 
sequence. 

Lemma 5.17. for- any statement sequence S, the I/O sequence 
variable is in imported variable in S relative to output, idio G 
Imp^(S). 

Proof By structure induction on abstract syntax of S. □ 

Lemma 5.18. For any statement sequence S, the imported vari¬ 
ables in S relative to output are a subset of the imported vari¬ 
ables in S relative to the I/O sequence variable, Imp^(S) C 
Imp(S, {idio})- 

Proof. By induction on abstract syntax of S. In every case, there 
are subcases based on if there is output statement in the statement 
sequence S or not if necessary. □ 

Lemma 5.19. If two statement sequences Si and S2 satisfy the 
proof rule of behavioral equivalence, then Si and S2 have the 
same set of imported variables relative to output, (Si =q S2 ) ^ 
(Imp^(Si) =Imp^(S2)). 

Proof. By induction on size(Si)-I-size(S2). □ 

Lemma 5.20. For any statement sequence S and any variable x, 
the termination deciding variables in S relative to output is a subset 
of the termination deciding variables in S, TVaro(S) C TVar(S). 

Proof. By induction on abstract syntax of S. In every case, there 
are subcases based on if there is output statement in the statement 
sequence S or not if necessary. □ 

Lemma 5.21. If two statement sequences Si and S2 satisfy the 
proof rule of behavioral equivalence, then Si and S2 have the same 
set of termination deciding variables relative to output, (Si =q 
S 2) ^ (TVar^Si) = TVaro(S2)). 

Proof. By induction on size(Si) 4 - size(S2). □ 

Corollary 5.4. If two statement sequences Si and S2 satisfy the 
proof rule of behavioral equivalence, then Si and S2 have the 
same set of out-deciding variables, (Si =0 S2) ^ OVar(Si) = 
OVar(S2). 

Proof. By Lemma 15.191 Imp^(Si) = Imp^(S2). By Lemma [ 5. 211 
TVar„(Si) =TVar„(S2). □ 

Lemma 5.22. In one step execution (S, m(cr)) — ^ (S', m'(a')), if 
there is no output statement in S, then the output sequence is same 
in value store a and o', Out(a') = Out(o). 

Proof. By induction on abstract syntax of S and crash flag f in state 

771 . □ 

Lemma 5.23. If there is no output statement in S, then, after the 
execution (S, 7 n(a)) —7 (S', m'(a')), the output sequence is same 
in value store a and o', Out(<j ) = Out(a). 
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Proof. By induction on number k of execution steps in the execu¬ 
tion {S,m{a)) A {S',m'{a')). The proof also relies on the fact 
that if s ^ 5 ", then s ^ S'. □ 

Lemma 5.24. One while statement s = “while^n){e){S}” starts 
in a state rn{f, loop^) in which the loop counter of s is zero, 
loop^{n) = 0 and the crash flag is not set, f = 0 . For any positive 
integer i, if there is a state m'{m'fj reachable from m in which 
the loop counter is i, loop'fln) = i, then there is a conflguration 
{S\ s,m" {f floop'f)) reachable from the conflguration {s,m) in 
which loop counter of s is i, loop"^{n) = i and the crash flag is not 
set, f" = 0 ; 

Vi > 0 : {{{s,m{f,mc)) ^ {S',m'{f,loop'J)) A{loopfln) = 

0 ) A (f = 0 ) A (loop'fln) = i)) => 

{s,m{j,loopf)) A- {S\ s,m"{floop'fl)) where f = 0 and 
loop'^{n) = i. 

Proof. The proof is by induction on i. 

Base case i = 1 . 

We show that the evaluation of the loop predicate of s w.r.t the 
value store a in the state m(loop^, a) produces an nonzero integer 
value. By our semantic rule, if the evaluation of the predicate 
expression of s raises an exception, the execution of s proceeds 
as follows: 

(s,m(f,loop^,a)) 

= (while(„)(e) {S'}, m(loop^, ct)) 

—^(while^n) (error) {S}, m(loop^, cr)) by the EEval rule 
—^(while^n) ( 0 ) {S}, m(l/f, loop^, ct)) by the ECrash rule 

k 

—^(while^n) ( 0 ) {S}, loop^)) for any A: > 0 , by the Crash rule. 

Hence, we have a contradiction that there is no configuration in 
which the loop counter of s is 1 . 

When the evaluation of the loop predicate expression of s pro¬ 
duce zero, the execution of s proceeds as follows: 

(s,m(f,loop^,cr)) 

= (while<„)(e) (Sj, m(loop^, cr)) 

—^(while^„) ( 0 ) {S}, m(loop^, cr)) by the EEval rule 
—^(skip, m(loop^[ 0 /ni])) by the Wh-F rule. 

Hence, we have a contradiction that there is no configuration in 
which the loop counter of s is 1 . The evaluation of the predicate 
expression of s w.r.t value store a produce nonzero value. The 
execution of s proceeds as follows: 

(s,m(f,loop^,cr)) 

= (while(„)(e) {S}, m(f, loop^, cr)) 

—>'(while(„) (S|e]|cr) {S}, m(f, loop^, a)) by the EEval rule 
—>{S-, while^„) (e) {S}, m(f, loop_,[l/ni], cr)) by the Wh-T rule. 

The lemma holds. 

Induction step. 

The hypothesis IH is that, if there is a configuration {S' ,mi (loop*)) 
reachable from (s, m) in which the loop counter of s is i, loop* (n) = 
i > 0 , then there is a reachable configuration {S\ s,mi{{, loop*)) 
from {s, m) where the loop counter of s is i and the crash flag is 
not set. 

Then we show that, if there is a configuration {S', mi +i(loop*+i)) 
reachable from {s, m) in which the loop counter of s is i -F 1 , then 
there is a reachable configuration (S;s,mi +i(f,loop*+i)) from 
(s, m) where the loop counter of s is i -|- 1 and the crash flag f is 
not set. 

By Lemma [RS] the loop counter of s is increasing by one in 
one step. Hence, there must be one configuration reachable from 
(s, m) in which the loop counter of s is i. By hypothesis, there is 


the configuration {S; s, mi{f, loop*, cr^)) reachable from {s, m) in 
which the loop counter is i, loop),(n) = i, and the crash flag is not 
set, f = 0 . By the assumption of unique loop labels, s ^ S. Then 
the loop counter of s is not redefined in the execution of S started 
in state mi{f, loop*, at). Because there is a configuration in which 
the loop counter of s is i -F 1 , then the execution of S when started 
in the state mi(f, loop*, Ci) terminates, (S', mi(f, loop*, CTi)) 

(skip, mi+i(f, loop*"*"^, (Ti+i)) where f = 0 and loop*+^(n) = i. 
BvCorollarv lE.il (S; s, mi(f, loop*, Ci)) A (s, mi+i(f, loop*+\cri+i 
By similar argument in base case, the evaluation of the predicate 
expression w.r.t the value store CTi+i produce nonzero integer value. 

The execution of s proceeds as follows: 

(s,mi+i(f,loop*+\cri+i)) 

= (while(„)(e) {S}, mi+i(f, loop*+\ (Ti+i)) 
-)-(while<„)(S|[e|cri+i) (Sj, mi+i(f, loop*+\ di+i)) 
by the EEval rule 

->-(S;while(„)(e) (Sj, mi+i (f, loop*+^[(i -F l)/n], cri+i)) 
by the Wh-T rule. 

The lemma holds. □ 

Lemma5.25. Letsi — ‘'while ^ni){e) {•S'l}” ands2 = “while 
{S2}” be two while statements and all of the followings hold: 

• There are output statements in si and S2, ^ei 62 : {“output ef’ G 
si) A {“output 62" G S2); 

• Si and S2 have the same set of termination deciding vari¬ 
ables relative to output, and the same set of imported variables 
relative to output, {TVaro{s\) = TVaro{s2) = TVar{s)) A 
{Impflsi) = Impfls2) = Imp{io)); 

• Loop bodies Si and S2 satisfy the proof rule of equivalent 
computation of the out-deciding variables of si and S2, Va; G 
OVar{s) = TVar{s) U lmp{io) : Si =f S2; 

• Loop bodies Si and S2 satisfy the proof rule of termination in 
the same way. Si =% S2; 

• Loop bodies Si and S2 produce the same output sequence 
when started in states with crash flags not set and whose value 
stores agree on values of variables in OVar{Si) U OVar{S2), 
Vmsi(fi,crsi)ms2(f2,crs2) : 

((fi = (2 = 0 ) A (Vi G OV'flr(Si) U OVar{S2) : osflx) = 
<^S2{x))) ^ 

((Si,msi(fi,(TSi)) =0 (S2,ms2(f2,crs2)))- 

If Si and S2 start in states mi(fi, loop]., cri), m2{f2, loop], 02) 
respectively with crash flags not set fi = (2 = 0 and in which si 
and S2 have not started execution {loop]{ni) = loop]{n2) = 0), 
value stores ai and 02 agree on values of variables in OVar{s), 

Vi G OVar{s) : (ti(i) = 0-2(1), then one of the followings holds: 

1. Si and S2 both terminate and produce the same output se¬ 
quence: 

(si,mi) 4 - {skip,m'i{a'i)), (s2,m2) 4 {skip,m'2{a'2)) 
where a'flidio) = (j'2{idio)- 

2. Si and S2 both do not terminate, Vfc > 0 , (si,mi) 4 

k 

{Sif,,mi^), (S2,m2) ->■ {82^,012^) where Si^ 7^ skip, 

S2j. skip and one of the followings holds: 

(a) For any positive integer i, there are two configurations 
{si,mifl and (s2,m2-) reachable from (si,mi) and 
(s2,m2), respectively, in which both crash flags are not 
set, the loop counters of si and S2 are equal to i and 
value stores agree on values of variables in OVar{s), and 
for every state in execution, (si,mi) 4 (si,mi;) or 
(s2,m2) 4 (s2,m2^), loop counters for si and S2 are 
less than or equal to i respectively: 
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Vi > 0 3(si,miJ (S2,m2j : (si,mi) A 

loop\', (Ji-)) A (S2,m2) A {s2,m2i{f2,loopl^,a2i)) 

where 

• fi = f2 = 0; and 

• loop].'{n{) = loop^'(112) = i; and 

• Vx G OVar{s) : ai^ (x) = 02^ (a;). 

• Vm'i : (si,mi) A {S'i,m[{loopl )) A {si,mi^(loopl', 
CTi-)), loopl (m) < i; and 

• Vm2 : (S2,m2) A {S 2 ,m' 2 {loop 1 )) A {s 2 ,m 2 i{loop 1 \ 

02i)), loopl {1x2) < i; 

(b) The loop counters for si and S2 are less than a smallest 
positive integer i and all of the followings hold: 

• 3i > 0Vm'i,m2 : A {S[,m'i{loopl )), 

(S2,m2) A {S2,m'2{loop\ )) where loopl (^1) < A 
loopl (^2) < i; 

• VO < j < i, there are two configurations 

arui {s2,'in2-) reachable from arul (52,^22), 

respectively, in which both crash flags are not set, loop 
counters of Si and S2 are equal to j and value stores 
agree on values of variables in OVar{s): 
3 {si,mi.),{s 2 ,m 2 j) : {si,mi) ^ {si,mi.{‘fi,loopf , 
fxi-)) A (S2,m2) A {s2,m2^{f2,loopf ,CT2^)) where 

* fi = j2 ~ 0; and 

■ loopf (ni) = loopf (712) = j; and 

■ Va; e OVar{s) : (x) = 02^ (x). 

• If i = 1 , then the I/O sequence is not redefined in any 
states reachable from (si, mi) and (s2, m2). 

■ Vm'i' (si, mi(/oop),, (Ji)) A (S'", m '/(cti )) 

where a'({idio) = cy\{idio)- 

■ Vmj ■■^^{s 2 ,m 2 {loopl,a 2 )) A (S2,m2(cr2)) 

where a2{idio) = cr2{idio)- 

• If i > 1, then the I/O sequence is not redefined in any 
states reachable from (si, mi^_j^) and (s2, m2;_^). 

■ Vm" : (si,mi._j(/oo/7^“\cri._J) A (Si ,mi(cri)) 

where a'({idio) = crii_x{idio)- 

■ Vm2 : (s2,m2i_i(toopc*”\cr2i_i)) A (S2,m2(cr2)) 

where a2{idio) = O2i_flidio)- 

(c) The loop counters for si and S2 are less than or equal to a 
smallest positive integer i and all of the followings hold: 

• 3i > 0 Vm'i, m2 : (si,mi) A {S[,ml{loopl )), (s2, 

m2) {S2,m2{loopl )) where loopl (’^i) ^ A 

loopl (^2) < i; 

• There are no configurations and (s2,m2j) 

reachable from (si,mi) and (s2,m2), respectively, in 
which crash flags are not set, the loop counters of si 
arul S2 are equal to i, and value stores agree on values 
of variables in OVar{s): 

J(si,miJ, (S2,m2j : (si, mi) A (si, mi^(fi,/oo/i),S 
^ (S2,m2) A {s2,m2flj2,loopl%a2j) where 

“ fi = f 2 ~ 0; and 

■ loopl'{n\) ~ loopl'(712) ~ A' 

■ Va; G OVar{s) : ai^ (x) = 02- (x). 

• VO < J < i, there are two configurations (si,mij) 
and (s2,m2j) reachable from (si,mi) and {s2,m2), 
respectively, in which crash flags are not set, the loop 
counters of si and S2 are equal to j and value stores 
agree on values of variables in OVar{s): 


3 (si,mij), (S2,m2^.) : (si, mi) A (si, mi^ (fi, Zoop^' 

CTI^)) A (S2,m2) ->■ [s2,m2j{f2,loopf ,(j2j)) where 

■ fi = (2 = 0; and 

■ loopf (ni) = loopf (n2) = j; and 

■ Va; G OVar{s) : oi- (x) = 02^ (x). 

• If i = 1 , then executions from (si,mi) and {.$2,7712) 
produce the same output sequence: 

{si,mi{loopl, (Ji)) =0 {s2,m2{loopl,a2)). 

• If i > 1, then executions from (si, mi^_^) and {$2,7n2i_i 
produce the same output sequence: 
(si,mi._AZoopc'“\cri;_J) =0 (s2,m2;_i(Zoopc'“\ 

Proof. We show that si and $2 terminate in the same way when 
started in states mi(fi, loopj, cti) and m2(f2, loop^, (T2) respec¬ 
tively, (si, mi) =H (s2, m2). In addition, we show that si and $2 
produce the same output sequence in every possibilities of termina¬ 
tion in the same way, (si, mi) =0 {$2, m2). 

By definition, si and $2 satisfy the proof rule of termination in 
the same way because 

• Loop bodies Si and S2 satisfy the proof rule of termination in 
the same way; 

By assumption. 

• Loop bodies Si and S2 satisfy the proof rule of equivalent 
computation of those in the termination deciding variables of 
Si and S2, Vx G TVar(si) U TVar(s2) : Si =f S2; 

By the definition of OVar(s), TVaro(si) C OVar(si) and 
TVaro(s2) C OVar(s2). By the definition of TVaro, TVaro(si) = 
TVar(si) and TVaro (52) = TVar(s2). 

By Lemma | 5. 161 we show si and $2 terminate in the same way 
when started in states mi (f 1, loop),, cti) and m2((2, loop) ,02). We 
need to show that all the required conditions are satisfied. 

• Crash flags are not set, fi = (2 = 0 ; 

• Loop counters of si and $2 are initially zero, loop)(ni) = 
loop) (712) = 0 ; 

• Si and $2 have same set of termination deciding variables, 
TVar(si) = TVar(s2) = TVar(s); 

• Value stores tri and 02 agree on values of variables in TVar(si) = 
TVar(s2), Va; G TVar(s) : cri(a;) = 0-2(2:); 

The above four conditions are from assumption. 

• Loop bodies Si and S2 terminate in the same way when started 
in states with crash flags not set and whose value stores agree 
on values of variables in TVar(Si) U TVar(S2); 

By Theorem | 4 ] 

Therefore, by Lemma B .161 we have one of the followings holds: 

1 . si and $2 both terminate and the loop counters of si and $2 are 
less than a positive integer i such that the loop counters of si 
and $2 are less than or equal to i — 1 : 

(si,mi) A (skip,m'l), (s2,m2) A (skip,mj). 

We show that, when si and $2 terminate, value stores of si 
and $2 agree on the value of the I/O sequence variable by 
Lemma lS)^ We need to show all the required conditions hold. 

• V2; G Imp(io) : cri(x) = 0-2(2;); 

• loop)(ni) = loop)(n2) = 0 ; 

The above two conditions are from assumption. 

• idio G Def(si) nDef(s2); 

Because there are output statements in si and $2. By the 
definition of Def(-), the I/O sequence variable is defined in 
si and $2. 
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• Imp(si, {idio}) = Imp(s2, {idio}) = Imp(zo); 

By the definition of Imp^(-), Imp^(si) = Imp(si, {id/o}), 
Imp^(s2) = Imp(s2, {idio})- 
•My £ Imp(io),Vmsi((jSi)ms2(o-S2) ^ 

((V2 e Imp(Si, Imp(io)) U Imp(S'2, Imp(io)), (JSj (2) = 

^S2[z)) ^ (<S'i,ms^(crsi)) =y (S2,77132(0-52)))- 

By Theorem 12 

In addition, by the semantic rules, the I/O sequence is appended 
at most by one value in one step. Hence, si and S2 produce 
the same output sequence when started in states mi and m2 
respectively. 

k 

2 - si and S2 both do not terminate, Vfc > 0 , (si,mi) —>■ 

(S'lfc.tniJ, (S2,m2) A (82^,7712k) where Si^ / skip, 

S2k 7^ skip and one of the followings holds: 

(a) Vi > 0 , there are two configurations (si, mi^) and (s2, m2j) 
reachable from (si,mi) and (s2,m2), respectively, in 
which both crash flags are not set, the loop counters of 
Si and S 2 are equal to i and value stores agree on the values 
of variables in TVar(s): 

Vi > 0 3 (si,miJ (S2,m2j : (si,mi) A (si,mi.(fi, 
loop^SaiJ) A (82,7712) A (s 2 ,m 2 i(f 2 ,loop^Sa 2 i)) 
where 

• ft = f2 = 0 ; and 

• loop^*(ni) = loop^*(n2) = i; and 

• Va: £ TVar(s) : ai^ (a:) = a2^ (x)- 

• Vm'i : (si,mi) A ( 5 (, mi (loop;!, )) A (si, mi-(loop^% 
ai-)), loop^ (ni) < i; and 

• Vmi : (82,7712) A ( 5 i,mi(loop^ )) A (s2,m2i(loop^% 
02i)), loop^ (712) < i; 

We show that, for any positive integer i, value stores cri^ and 
a2i agree on values of variables in Imp(io) by the proof of 
Lemma [ 5 T] We need to show that all the required conditions 
are satisfied. 

• Va: £ Imp(io) : ai(x) = 0-2(0:); 

• loop),(ni) = loop^(n2) = 0 ; 

The above two conditions are by assumption. 

• idio £ Def(si) n Def(s2); 

• Imp(si, {id/o}) = Imp(s2, {id/o}) = Imp(io); 

The above two conditions are obtained by similar argu¬ 
ment in the case that si and 82 both terminate. 

• Vy £ Imp(io), Vms^ (asi) ms^ (as^) : 

((V2 £ Imp( 5 'i, Imp(io))Ulmp( 52 , Imp(io)), (JSj (2) = 
07S2{z)) => 

(Si,ms^(as^)) =y (82,77132(032)))- 

By Theorem |2 

We cannot apply Lemma BTT] directly because si and 82 do 
not terminate. But we can still have the proof closely similar 
to that of Lemma O by using the fact that there exists a 
configuration of arbitrarily large loop counters of si and 82 
and in which crash flags are not set. 

Then, Vi > 0 ,Vo; £ Imp(io) : o-i^(a;) = 02^(0:). In addi¬ 
tion, by the semantic rules, the I/O sequence is appended at 
most by one value in one step. The lemma holds. 

(b) The loop counters for si and 82 are less than a smallest 
positive integer i and all of the followings hold: 

• 3 i > 0Vmi,m2 : (si,mi) A (S'J, mi(loop^ )), (s2, 
7712) A ( 52 , m2(loop^ )) where loop), (m) < i, 
loop) (712) < i; 

• VO < j < i, there are two configurations (si,mi^.) 
and (s2,m2j) reachable from (si,mi) and (82,7712), 
respectively, in which both crash flags are not set, the 


loop counters of si and 82 are equal to j and value stores 
agree on the values of variables in TVar(s): 

3 (si,mi^.), (S2,m2^) : (si, mi) A (si, mi^. (fi, loopc^ 
oi-)) A (82,7712) A (S2,m2^(f2,loop/, 0-2^.)) where 

■ fi = (2 = 0 ; and 

■ loop/ (ni) = loopc^ (712) = j-, and 

■ Va: £ TVar(s) : cri^ (x) = 02^ (x)- 

This case corresponds to the situation that the ith evalua¬ 
tions of the predicate expression of si and 82 raise an ex¬ 
ception. There are two possibilities regarding the value of 
i- 

i = 1. 

Si and 82 raise an exception in the 1 st evaluation of 
their predicate expression because loop counters of si 
and 82 are less than 1 . In the proof of Lemma 15.161 
value stores (t\ and 02 in states mi and m2 respectively 
are not modified in the 1 st evaluation of the predicate 
expression of si and S2. In addition, value stores cri and 
(T2 are not modified after si and 82 both crash according 
to the rule Crash. We have the corresponding initial state 
in which value stores ai and 02 agree on values of 
variables in OVar(s). Thus, ai(idio) = O2(idio)- The 
lemma holds, 
ii. i > 1 . 

We show that, for any positive integer 0 < j < i, 
value stores and 02^ agree on values of variables 
in Imp(s) by the proof of Lemma [ 5 T] We need to show 
that all the required conditions are satisfied. 

• Vx £ Imp(/o) : cri(a;) = 0-2(0;); 

• loop)(ni) = loop) (712) = 0 ; 

The above two conditions are from assumption. 

• idio £ Def(si) nDef(s2); 

• Imp(si, {idio}) = Imp(s2, {idio}) = Imp(io); 

The above two conditions are obtained by the same 

argument in the case that si and 82 terminate. 

• yy £ Imp(io),Vmsi(o-Si)ms2(o-s2) : 

((V2 £ Imp( 5 i, Imp(*o))Ulmp( 52 , Imp(io)), o-gj (2) 

os2(z)) ^ 

(Si,msi(o-Si)) =y (82,77732(032)))- 

By Theorem I2] 

We cannot apply Lemma O directly because si and 
82 do not terminate. But we can still have the proof 
closely similar to that of Lemma ISTI by using the fact 
that there are reachable configurations (si, mi^_j) and 
(s2, m2j_i) with the loop counters of si and 82 of value 
i — 1 and crash flags not set. 

By assumption, there is configuration (si, mi^_j (fi, 
loop)*“i, crij_j^)) reachable from (si, mi) in which the 
loop counter of si is i — 1 and the crash flag is not set; 
there is also a configuration (s2, m2i_i ((2, loop)‘“i, 02^, 
of 82 reachable from (82,7712) in which the loop counter 
is i — 1 and the crash flag is not set. In addition, value 
stores (Ti- j and o-2i_i agree on values of variables in 
Imp(io). In the proof of Lemma B .151 the ith evaluations 
of the predicate expression of si and S2 must raise an 
exception because loop counters of si and 82 are less 
than i- Then the I/O sequence is not redefined in any 
state reachable from (si, mi^_j (fi, loop)*”^, )) 

and (s2,m2i_i(f2,loop)*-/(T2i_i)) respectively. In 
addition, by the semantic rules, the I/O sequence is ap¬ 
pended at most by one value in one step. The lemma 
holds. 
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(c) The loop counters for si and S2 are less than or equal to a 
smallest positive integer i and all of the followings hold: 

• 3 i> 0 Vmi,m 2 : (si, mi) A (Sj, mi(loop^ )), (s2, m2) A 
(S2,m2(loop^ )) where loop); (m) < i, 
loop) (n2) < i; 

• There are no configurations (si,mi.) and (s2,m2;) 
reachable from (si,mi) and (s2,m2), respectively, in 
which crash flags are not set, the loop counters of si and 
S2 are equal to i, and value stores agree on values of 
variables in TVar(s): 

: (si,mi) A (si,mi^(fi,loop)% ctiJ)A 
(S2,m2) A (s2,m2i(f2,loop)%cr2j) where 

■ fi = f2 = 0 ; and 

■ loop)’(ni) = loop)'(n2) = i; and 

■ Va; G TVar(s) : ai. (x) = a2- (x). 

• VO < j < i, there are two configurations (si, mi^) 
and (S2,m2j) reachable from (si,mi) and (s2,m2), 
respectively, in which both crash flags are not set, the 
loop counters of si and S2 are equal to j and value stores 
agree on values of variables in TVar(s): 

3 (si,mi^.), (S2,m2j) : (si, mi) A (si, mi^. (fi, loop)^ cti^ ))A 
(S2,m2) A (s2,m2j(f2,loopc^o-2j-)) where 

■ fi = f2 = 0 ; and 

■ loopc^ (ni) = loopc^ (n2) = j; and 

•Vx e TVar(s) : ai. (x) = a2- (x). 

This case corresponds to the situation that, the ith evaluation 
of the predicate expression of si and S2 produce same 
nonzero integer value and loop bodies ^i and S2 do not 
terminate after the ith evaluation of the predicate expression 
of Si and S2. There are two possibilities regarding the value 
of i. 

i. i = 1. 

By assumption, we have the initial value stores ai and 
(72 agree on values of variables in OVar(s). In the proof 
of Lemma l 5 . 15 l the execution of si proceeds as follows: 


We show that, for any positive integer 0 < j < i, 
value stores ai^ and (T2 j agree on values of variables 
in Imp(io) by the proof of Lemma lST] We need to show 
that all the required conditions are satisfied. 

• Vx G Imp(io) : cri(a;) = 0-2(0;); 

• loop)(ni) = loop) (712) = 0 ; 

The above two conditions are from assumption. 

• idio G Def(si) nDef(s2); 

• Imp(si, {idio}) = Imp(s2, {idio}) = Imp(io); 

The above two conditions are obtained by the same 

argument in the case that si and S2 terminate. 

•Vy G Imp(io),Vmsi(o-Si)ms2(o-S2) : 

{{Vz G Imp(S'i, Imp(jo))Ulmp(S'2, Imp(io)), CTSj (2;) = 

0-32(2)) 

(Si,msi(o-Si)) =y {S2,ms2io-S2)))- 

By Theorem |2 

We cannot apply Lemma IST] directly because si and S2 
do not terminate. But we can still have the proof closely 
similar to that of Lemma lsTI The reason is that there are 
reachable configurations (Si; si, m'l) and (S2; S2, m^) 
with loop counters of si and S2 of value i and crash 
flags not set. This is by Lemma [ 5.241 because there are 
configurations reachable from (si,mi) and (s2,m2) 
respectively with loop counters of si and S2 of i. 

There are configurations (si,mi^_j) reachable from 
(si,mi) and (s2,m2i_i) reachable from {82,m2) in 
which loop counters of si and 82 are i —1 and crash flags 
are not set and value stores agree on values of variables 
in Imp(io). Because loop counters of si and 82 are less 
than or equal to i. Then the execution of si proceeds as 
follows: 

(si, mi,_j (loop)*-i, cri,_ J) 

= (while<„j)(e) {Si}, mi,_i (loop)'-i, cri,_ J) 
-:^(while(„^) (n) {Si}, (loop)'-i, crii_i)) 
by the EEval rule 

-^■(Si; while(„^) (e) {Si}, (loop)*-i [i/n{\, 
by the Wh-T rule. 


(si, mi (loop), (Ti)) 

= (while<„^)(e) {Si}, mi(loop), cri)) 

—^(while^nj^) (n) {Si}, mi(loop), cti)) by the EEval rule 
-^■(Si; while(„^) (e) {Si}, mi(loop)[l/ni], cri)) 
by the Wh-T rule. 

The execution of 82 proceeds to (S2; while^n^) (e) {S2}, 
m2 (loop) [1/712], 1x2)) ■ Then the execution of Si and S2 
do not terminate when started in states mi (loop) [ 1 /ni ], ai) 
and m2 (loop) [1/712], 0-2). By assumption, value stores 
CTi and (72 agree on values of the out-deciding vari¬ 
ables of Si and 82, Vx G OVar(si) U OVar(s2) : 
0-1(2:) = 0-2(2;). By definition, Imp(Si, {id/o}) L 
Imp(si, {idjo}), CVar(Si) C CVar(si) andLVar (Si) C 
LVar(si).Thus,TVar(Si) C TVarfsiLBv Lemma l 5 . 20 l 
TVaro(Si) C TVar(Si). By Lemma lST^ Imp^(Si) C 
Imp(Si,id/o)- In conclusion, OVar(Si) C OVar(si). 
Similarly,OVar(S2) L OVar(s2).Thus, V2; G OVar(Si)U 
OVar(S2) : 01(2;) = 02(2;). Then executions of Si and 
S2 when started from states 

mi(loop)[l/ni[, 0-1) and m2(loop)[1/712], 0-2) pro¬ 
duce the same output sequence; 

(Si, mi(loop)[l/ni], 01)) =0 (S2,m2(loop)[l/n2],o-2)). 
In addition, by the semantic rules, the I/O sequence is 
appended at most by one value in one step. The lemma 
holds, 
ii. 7 > 1 . 


The execution of 82 proceeds to (S 2 ; while^^^) (e) {S 2 }, 

_ 1 (loop)' [7/772], o-2i_j)).By similar argument in 
the case 7 = 1 , S2 and Si produce the same output se¬ 
quence when started in states mi-_^ (loop)'“i [i/rii], o-i;_j) 
and m2i_i (loop)*“i [7/712], o-2i_i) respectively. In ad¬ 
dition, by the semantic rules, the I/O sequence is ap¬ 
pended at most by one value in one step. The lemma 
holds. 

□ 

Corollary 5.5. Let 81 = ^‘while („i) (e) {Si}” and 82 = 
“w/777e(„2> (fi) {‘S' 2 }” be two while statements such that all of the 
followings hold 

• There are output statements in si and 82,€2 ■ output ei' G 
si) A (“output €2” G 82); 

• 81 and 82 have same set of termination deciding variables 
and same set of imported variables relative to the I/O se¬ 
quence variable, (TVar(8i) = TVar(s2) = TVar{s)) A 
(lmp(8i,{idio}) = Imp(82,{idio}) = Imp(io)); 

• Loop bodies Si and S2 satisfy the proof rule of equivalent 
computation of those in out-deciding variables of si and 82, 

Vx G OVar(8) = TVar(8) U Imp(io) : Si =f S2; 

• Loop bodies Si arul S2 satisfy the proof rule of termination in 
the same way, Si S2; 
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• Loop bodies Si and S2 produce the same output sequence when 
started in states with crash flags not set and agreeing on values 
of variables in OVar{Si) U 0 Var{S2), ymsi (fi, crsi) rns2{f2, 

crsa) : 

((fi = f2 = 0 ) A (Vx G OVar{Si) U OVar{S2) '■ (rsi{x) = 
^S2(x))) => ((Si,msflfi,as^)) =0 (S2,ms2(f2,trs2)))- 

If Si and S2 start in states loop]., ai), m2(f2, loop^, 02) 

respectively with crash flags not set fi = f2 = 0 and in which si 
and S2 have not started execution (loop\(ni) — loop^{n2) = 0 ), 
value stores ai and 02 agree on values of variables in OVar(s), 
Vx G OVar{s) : (Ji(x) = ( 72 (x), then si and S2 produce the same 
output sequence: =0 (32,7712). 

This is from lemma [ 5 ( 2 ^ 

5.5 Backward compatible DSU based on program 
equivalence 

Based on the equivalence result above, we show that there ex¬ 
ists backward compatible DSU. We need to show there exists a 
mapping of old program configurations and new program config¬ 
urations and the hybrid execution obtained from the configuration 
mapping is backward compatible. We do not provide a practical al¬ 
gorithm to calculate the state mapping. Instead we only show that 
there exists new program configurations corresponding to some old 
program configurations via a simulation. The treatment in this sec¬ 
tion is informal. 

The idea is to map a configuration just before an output is pro¬ 
duced to a corresponding configuration. Based on the proof rule 
of same output sequences, not every statement of the old program 
can correspond to a statement of the new program, but every output 
statemet of the old program should correspond to an output state¬ 
ment of the new program. Consider configuration Ci of the old 
program where the leftmost statement (next statement to execute) 
is an output statement. We can define a corresponding statement of 
the new program by simulating the execution of the new program 
on the input consumed so far in Ci. There are two cases. When the 
leftmost statement in Ci is not included in a loop statement, then 
it is easy to know when to stop simulation. Otherwise, we have 
the bijection of loop statements including output statements based 
on the condition of same output sequences. Therefore, it is easy to 
know how many iterations of the loop statements including the out¬ 
put statement shall be carried out based on the loop counters in the 
old program configuration Ci. Based on Theorem^ there must be 
a configuration C2 corresponding to Ci . Moreover, the executions 
starting from configurations Ci and C2 produce the same output 
sequence based on Theorem In conclusion, we obtain a back¬ 
ward compatible hybrid execution where the state mapping is from 
Cl to C2. 


6. Real world backward compatible update 
classes: proof rules 

We propose our formal treatment for real world update classes. For 
each update class, we show how the old program and new program 
produce the same I/O sequence which guarantees backward com¬ 
patible DSU. 

6.1 Proof rule for specializing new configuration variables 

New configuration variables can be introduced to generalize func¬ 
tionality. Figure [15] shows an example of how a new configuration 
variable introduces new code. The two statement sequences in Fig- 
ure[T 5 ]are equivalent when the new variable b is specialized to 0 . 

Our generalized formal definition of “specializing new configu¬ 
ration variables” is defined as follows. 


1 : 


T: 

If ( 6 ) then 

2 : 


T: 

output a * 2 

3 : 


3 ’: 

else 

4 : 

output a + 2 

4 ’: 

output a + 2 


old 


new 


Figure 15 : Specializing new configuration variables 


Definition 25. (Specializing new configuration variables) A 

statement sequence S2 includes updates of specializing new config¬ 
uration variables compared with Si w.r.t a mapping p of new con¬ 
figuration variables in S2, p ■ {id} 1—>■ { 0 , 1 }, denoted S2 ~p Si, 
iff one of the following holds: 

1 . S2 ~ ‘df{id) then{S2} else{S2y^ where one of the following 
holds: 

(a) {p{id) = 0 ) A {Si Si); 

(b) {p{id) = 1 ) A {S^z^f Si); 

2 . Si and S2 produce the same output sequence, Si S2; 

3 . Si = ^Lf{e)then{S\}else{SiY,S2 = ^df{e) then{Sy} else{Si}" 

where {Si S\) A S/); 

4 . Si = “while(ni){e-) {S'lY', S2 = {'S'2}” where 

o' r~^S Qf . 

^2 ~p 

5 . 5 i = S'l; Si and S2 = 5 ^; S2 where {Si S}) A {Si 
S'l) A (Vx G Imp{si,idio) U Imp{si,idio) ■ {Si 
S'l)) A {S2 si). 

Then we show that executions of two statement sequences pro¬ 
duce the same FO sequence if there are updates of specializing new 
configuration variables between the two. 

Lemma 6.1. Let Si and S2 be two different statement sequences 
where there are updates of “specializing new configuration vari¬ 
ables ” in S2 compared with Si w.r.t a mapping of new configu¬ 
ration variables p, S2 ~p Si. If executions of S2 and Si start in 
states m2(f2, 1x2) and mi{fi, ai) respectively where all of the fol¬ 
lowing hold: 

• Crash flags (2, ft are not set, (2 = fi = 0 ,' 

• Value stores ai and 02 agree on output deciding variables in 
both Si and S2 including the input and I/O sequence variable, 

Vid G {OVar{Si) n OVar{S2)) U {idi,idio} : cri{id) = 
a2{id); 

• Values of new configuration variables in the value store 02 are 
matching those in p, Mid G Dom{p) : p{id) = a2{id); 

• Values of new configuration variables are not defined in the 
statement sequence S2, Dom{p) n Def{S2) = 0 ; 

then S2 and Si satisfy all of the following: 

• {Si,mi) =H {S2,m2); 

• {Si, mi) =0 ( 52 , m2); 

• Vx G {idi,idio}: {Si, mi) =2, {S2,m2); 

Proof. The proof of Lemma|6T|is by induction on the sum of pro¬ 
gram sizes of 5 i and S2 and is a case analysis based on Defini¬ 
tion!^ 

Base case. 

S'l is a simple statement s, S2 ~ “If(id) then{s2} else{s2}” 
where S2, ^2 are simple statement and one of the following holds: 

1 . {p{id) = 0 ) A (sj = 3); 

2 . {p{id,) = 1 ) A (S2 = 3); 
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W.l.o.g., we assume that p{id) — 0 . By assumption, a2{id) = 
p{id) = 0 . Then the execution of S2 proceeds as follows: 

(If(fd) then{s2} elsejs^}, 7112(0-2)) 

—^(If( 0 ) then{s2} else{s^}, 7712(0-2)) 
by the rule Var 

—>-( 32 ,7712(0-2)) by the If-F rule. 

By Theorem| 5 ]and Theorem| 4 ] this lemma holds. 

Induction step. 

The induction hypothesis (IH) is that Lemma | 6 T] holds when 
the sum of the program size of and S2 is at least 4 , size(S'i) + 
size(S 2 ) = k > A. 

Then we show that the lemma holds when size( 5 i)+size(S' 2 ) = 
fc + 1 . There are cases to consider. 


1 . 5 i and S2 satisfy the condition of same output sequence, 

Si &. 

By Theorem| 5 ] the lemma lbdl holds. 

2 . Si and S2 are both “If’ statement: 

Si = “If(e)then{S(}eIse{S/}”,S2 = “If(e) then{S^} eIse{S|}” 
where both of the following hold 

• of of . 

O2 ~pJl , 

By the definition of Use(Si), variables used in the predicate ex¬ 
pression e are a subset of used variables in Si and S2, Use(e) C 
Use(Si) n Use(S2). By assumption, corresponding variables 
used in e are of same value in value stores ai and a2. By 
Lemma lb.il the expression evaluates to the same value w.r.t 
value stores ai and (J2. There are three possibilities. 

(a) The evaluation of e crashes, S'|e|o-i = S'|e|o-2 = 

(error, Wof)- 

The execution of Si continues as follows: 

(If(e) then{S(} else{S/}, 777 i(cri)) 

—^(If((error, Vaf)) thenjSj} else{S/}, 777 i(cti)) 
by the rule EE vaf 
—>■( 11 ( 0 ) thenjS);} elsejS/}, 
by the ECrash rule 

A(If( 0 )then{Sj}else{S/}, 
by the Crash rule. 


,mi(l/f)) 

, mi(l/f)) for any i > 0 


Similarly, the execution of S2 started from the state 7772(0-2) 
crashes. The lemma holds. 

(b) The evaluation of e reduces to zero, S'|[e]CTi = S'|e|o-2 = 
(O, 77 of). 

The execution of Si continues as follows. 

(If(e) then{S(} else{S/}, 777 i(cri)) 

= (lf(( 0 , -Uof)) then{S(} elsejS/}, 777 i(cri)) 
by the rule EE vaf 

—>■( 11 ( 0 ) then{Si} elsejS/}, mi(o-i)) 
by the E-Oflowl or E-Oflow 2 rule 
^(S{ , mi{ai)) by the If-F rule. 

Similarly, the execution of S2 gets to the configuration 
(S|, 7772(02)). 

By the hypothesis IH, we show the lemma holds. We need 
to show that all conditions are satisfied for the application 
of the hypothesis IH. 

• (si^^psi) 

By assumption. 

• The sum of the program size of S( and Sj is less than 
k, size(S/) + size(S|) < k. 

By definition, size(Si) = l-|-size(Si)-|-size(S/)-Then, 
size(S/) + size(sA <fe-|-l — 2 = fc — 1 . 


• Value stores 01 and 02 agree on values of used variables 
in S( and Sl as well as the input, FO sequence variable. 
By definition, Use)^/) C Use( 5 'i). So are the cases to 
S2 and S'2. In addition, value stores oi and 02 are not 
changed in the evaluation of the predicate expression e. 
The condition holds. 

• Values of new configuration variables are consistent 
in the value store CT2 and the specialization p, \fid € 
Dom(p) : (72 (id) = p{id). 

By assumption. 

By the hypothesis IH, the lemma holds. 

(c) The evaluation of e reduces to the same nonzero integer 
value, ^'|[e]CTi = £'\e\a2 = (v,Vof) where u 7^ 0 . 

By arguments similar to the second subcase above. 

3 . Si and S2 are both “while” statements: 

Si = “while(„)(e) {S(}”, S2 = “while^^)(e) {S2}” where 

By Lemma | 63 ] we show this lemma holds. We need to show 
that all required conditions are satisfied for the application of 
Lemma l 6 . 3 l 

• Si and S2 have same set of output deciding variables, 
OVar(Si) = OVar(S2) = OVar(S); 

By Lemma l6(^ and Corollarv l 5 .ll 

• When started in states 771'i((j(), 7772(0-1) where value stores 
ai and 0-2 agree on values of output deciding variables in 
both Si and S2 as well as the input sequence variable and 
the FO sequence variable, then Sj and S2 terminate in the 
same way, produce the same output sequence, and have 
equivalent computation of defined variables in both Si and 
S2. 

By the induction hypothesis IH. This is because the sum of 
the program size of S) and S2 is less than k. By definition, 
size(Si) = 1 - 1 - size(S(). 

By Lemma l 63 ] this lemma holds. 

4 . S2 = “If( 7 ci) then {S2} else {S|}” where one of the following 
holds: 

(a) {p{id) = 0 ) A (S|«®Si); 

(b) (p( 7 d) = l)A(S^Ri®Si); 

W.l.o.g, we assume {p{id) = 0 ) A (Sl^ipSi); 

Then the execution of S2 proceeds as follows: 

(If( 7 d) then{S2} else{S|}, 7712(0-2)) 

= (lf( 0 ) thenjSA else{S|}, 7772(02)) 
by the Var rule 
->(S|, 7772(02)) 
by the If-F rule 

By the induction hypothesis, we show that the lemma holds. 
We need to show the required conditions are satisfied for the 
application of the hypothesis. 

• si^fsi 

By assumption. 

• The sum of the program size of S{ and S^ is less than k, 
size ( 5 /) -I- size( 5 '|) < k. 

By definition, size( 5 ' 2 ) = 1 -|- size)^^) + size(S'|). Then, 
size( 5 |) -I- size(S'i) < fc -|- 1 — 1 — size(S'2) < k. 

• Value stores 01 and 02 agree on values of used variables in 
S2 and 5 i as well as the input, I/O sequence variable. 

By definition, Use( 5 |) C Use( 52 ). In addition, the value 
store 02 is not changed in the evaluation of the predicate 
expression e. The condition holds. 

By the hypothesis IH, the lemma holds. 
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5 . Si and S2 are same, Si = S2; 

By definition, used variables in Si and S2 are same; defined 
variables in Si and S2 are same. By semantic rules. Si and S2 
terminate in the same way, produce the same output sequence 
and have equivalent computation of defined variables in Si and 
S2. This lemma holds. 

6 . Si = Si; Si and S2 = S2; S2 where both of the following hold: 

• s[-, 

• S 2 Si; 

By Theorem| 4 ]and the hypothesis IH, we show S2 and S'l ter¬ 
minate in the same way and produce the same output sequence 
and when S2 and Si both terminate, S2 and Si have equivalent 
terminating computation of variables used or defined in S2 and 

S[. 

We show all the required conditions are satisfied for the appli¬ 
cation of the hypothesis IH. 

• S'2~fS[. 

By assumption. 

• The sum of the program size of S[ and S2 is less than k, 
size(Sj) -I- size(S2) < k. 

By definition, size(S2) = size(s2) -I- size(S2) where 
size(s2) < 1 . Then, size(S2) + size(Si) < fc -f 1 — 
size(s2) — size(si) < k. 

• Value stores cri and (J2 agree on values of output deciding 
variables in S2 and Si including the input, I/O sequence 
variable. 

By definition of TVar,, and Imp^, OVar(S2) O OVar(S2). 
The condition holds. 

• Values of new configuration variables are consistent in the 
value store a2 and the specialization p, \/id G Dom(p) : 
(J2{id) = p{id). 

By assumption. 

By the hypothesis IH, one of the following holds: 

(a) Si and S2 both do not terminate. 

By Lemma IE .21 executions of Si = Sj; si and S2 = 
S2; S2 both do not terminate and produce the same output 
sequence. 

(b) Si and S2 both terminate. 

By assumption, {S2,m2{(J2)) (skip, m2((T2)), 
(Sl,mi(cri)) A (skip,mi(CT()). 

By Corollary [Em (S2; S2, m2(cr2)) A (s2, m2(cr2)), 
(Si;si,mi(cri)) A (si,mi(A))- 

By the hypothesis IH, we show that S2 and si terminate 
in the same way, produce the same output sequence and 
when S2 and si both terminate, S2 and si have equivalent 
computation of variables used or defined in si and S2 and 
the input, and I/O sequence variables. 

We need to show that all conditions are satisfied for the 
application of the hypothesis IH. 

• There are updates of “new configuration variables” be¬ 
tween S2 and si; 

By assumption, S2~pSi. 

• The sum of the program size S2 and si is less than or 
equals to k\ 

By definition, size(S'2) > 1 , size(S'i) > 1 . Therefore, 
size(s2)-f size(si) < fe-f 1 — size( 52 ) — size( 5 i) < k. 

• Value stores a'l and (J2 agree on values of output de¬ 
ciding variables in S2 and si as well as the input, I/O 
sequence variable. 

By induction hypothesis IH, OVar(si) C OVar(s2), 
then Use(s2) IT Use(si) = Use(si). For any variable 
id in OVar(si), if id is in OVar( 5 i), then the value of 
id is same after the execution of S[ and S2, a[{id) = 


CTi(id) = a2{id) = a2{id). Otherwise, the variable id 
is defined in the execution of S'l and S2, by assumption, 
a[{id) = a'2{id). The condition holds. 

• Values of new configuration variables are consistent 
in the value store 02 and the specialization p, V/d € 
Dom(p) : a2{id) — p(id). 

By assumption, Dom(p) n Def(5'2). By Corollary IE . 21 
values of new configuration variables are not changed 
in the execution of S2, ^id € Dom(p) : (J2{id) = 
a 2 {id) = p{id). 

By the hypothesis IH, the lemma holds. 

□ 

We list properties of the update of new configuration variables 
and the proof of backward compatibility for the case of loop state¬ 
ment as follows. We present one auxiliary lemma used in the proof 
of Lemma |6T] 

Lemma 6.2. Let S2 be a statement sequence and Si where there 
are updates of “specializing new configuration variables” w.r.t 
a mapping of new configuration variables p, S2~fSi. Then the 
output deciding variables in Si are a subset of the union of those 
in S2, OVar{Si) C OVar{S2)- 

Proof. By induction on the sum of the program size of 5 i and 

S2. □ 

Lemma 6.3. Let Si = while {Sj} and S2 = while 
{S2} be two loop statements where all of the following hold: 

• S2 includes updates of “specializing new configuration vari¬ 
ables” compared to S'l, S2 ~p S'l where Dom{p) riDef(S2) ~ 

0 . 

• the output deciding variables in Si are a subset of those in S2, 
OVar{Si) C OVar{S2); 

• When started in states agreeing on values of output deciding 
variables in Si and S2 including the input sequence variable 
and the I/O sequence variable, Mx G OVar{Si) U OVar{S2) U 
{idi,idio}ymi(a'i)m2(a2) : {cr'i{x) = cr2(x)), S'l and S2 
terminate in the same way, produce the same output sequence, 
and have equivalent computation of defined variables in S'l 
and S2 as well as the input sequence variable and the I/O 
sequence variable ((S(,mi) =h (S2,m2)) A ((S(,mi) =0 
{S2,m,2)) A (Vx G OVar{Si) U OVar{S2) U {idi,idio} : 
(S(,mi) =,1 {S2,m2)); 

If Si and S2 start in states mi{loopl,,ai),m2{loop^,a2) re¬ 
spectively, with loop counters of Si and S2 not initialized (Si, S2 
have not executed yet), value stores agree on values of output de¬ 
ciding variables in Si and S2, then, for any positive integer i, one 
of the following holds: 

1. Loop counters for Si and S2 are always less than i if any is 
present, 'im'i{loop],)m'2(loopl) : (Si,mi(loop],,ai)) —>• 
(Si,m'i(loop],)),loop], (ni) < i, (S2, m2(/oop^, (T2)) A 
(S'f, m2{loop^ )), loop^ (712) < i. Si and S2 terminate in the 
same way, produce the same output sequence, and have equiv¬ 
alent computation of output deciding variables in both Si and 
S2 and the input sequence variable, the I/O sequence vari¬ 
able, (Si, mi) =H (S2, m2) and (Si, mi) =0 (S2,m2) and 
Vx G (OVar(Si) IT OVar(S2)) U {idi,idio} ’■ (Si, mi) =3, 
(S2, m2): 

2 . The loop counter of Si and S2 are of value less than or equal 
to i, and there are no reachable configurations (Si, mi (loop)}, 
ai^)) from (Si,mi(ai)), (S2, m2(looplf 02^)) from (S2, 
Tn2{cr2)) where all of the following hold: 
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• The loop counters of Si and S2 are of value i, loop)} ini) 
= loopl'{n 2 ) = i. 

• Value stores ai- and <72^ agree on values of output deciding 
variables in both Si and S2 as well as the input sequence 
variable and the 1/0 sequence variable, V* G {OVar{Si) n 
0 Var{S 2))'0 {idi,idio} '■ criiix) = (J2i{x). 

3 . There are reachable configurations [Si, mi {loop)* ,0-1.)) from 
{Si,mi{ai)), {S2,m2{loop)/ ,a2i))from{S2, m2{a2))where 
all of the following hold: 

• The loop counter of Si and S2 are of value i, loop)*{ni) 
= loop)*{n 2 ) = i. 

• Value stores ai^ and < 72 ^ agree on values of output deciding 
variables in both Si and S2 including the input sequence 
variable and the I/O sequence variable, Vx G {OVar{Si) n 
0 Var{S 2 )) O {idi,idio} ■ ( 7 i. (a;) = < 72 ^ (*). 

Proof. By induction on i. 

Base case. 

We show that, when i = 1, one of the following holds: 

1 . Loop counters for and S2 are always less than 1 if any is 
present, Vmi(loopJ ) m2(loop^ ) : (^i, mi(loop^, ai)) A 
(S'l'jmiOoop^ )),loop^ (m) < i, (S'2,m2(loop^,cr2)) A 
{S'f ,m'2{\oop) )),loop^ (712) < i. Si and S2 terminate in 
the same way, produce the same output sequence, and have 
equivalent computation of used/defined variables in both Si 
and S2 and the input sequence variable, the I/O sequence vari¬ 
able, (Si, mi) =H (S2,m2) and (Si, mi) =0 (S2,m2) and 
Vx G (OVar(Si) n OVar(S2)) U {idi,idio} '■ (Si, mi) =2, 
(S2, m2); 

2 . Loop counters of Si and S2 are of value less than or equal to 1 
but there are no reachable configurations (Si, mi (loop),^, ( 71 ^)) 
from (Si, mi(( 7 i)), (S2, m2(loop^i, (72J) from (S2, m2{(T2)) 
where all of the following hold: 

• The loop counter of Si and S2 are of value 1 , loop),^ (ni) 
= loop^i(n2) = 1. 

• Value stores cti^ and i 72 i agree on values of used variables 
in both Si and S2 as well as the input sequence variable and 
the I/O sequence variable, V® G (OVar(Si) n OVar(S2)) U 
{idi,idio} : (ri^{x) = a2i{x). 

3 . There are reachable configuration (Si, mi(loop),^, cri^)) from 
(Si,mi(CTi)), (S2,m2(loop^i,a2j) from (S2, m 2 (( 72 )) where 
all of the following hold: 

• The loop counter of Si and S2 are of value 1 , loop),i(ni) 
= loop^i (712) = 1 . 

• Value stores cti^ and <721 agree on values of used variables 
in both Si and S2 as well as the input sequence variable and 
the I/O sequence variable, Vx G (OVar(Si) n OVar(S2)) U 
{idi,idio} ■■ ( 7 ij(x) = a2i(x). 

By definition, variables used in the predicate expression e of Si 
and S2 are used in Si and S2, Use(e) C OVar(Si) nOVar(S2). By 
assumption, value stores ai and 02 agree on values of variables in 
Use(e), the predicate expression e evaluates to the same value w.r.t 
value stores ai and a2. There are three possibilities. 

1 . The evaluation of e crashes, 

S'|e|( 7 i = S'|e|o -2 = (error,-Uof). 

The execution of Si continues as follows: 

(while(„j) (e) {S(}, mi(ai)) 

-s-(while(„^) ((error, Vof)) {S(}, mi(CTi)) 
by the rule EEval’ 

-s-(while(„j)( 0 ) {S(},mi(l/f)) 
by the ECrash rule 


A(while(„j)( 0 ) {S(},mi(l/f)) for any i > 0 
by the Crash rule. 

Similarly, the execution of S2 started from the state m2 ((72) 
crashes. Therefore Si and S2 terminate in the same way when 
started from mi and m2 respectively. Because ai{idio) = 

(72 (id/o), the lemma holds. 

2 . The evaluation of e reduces to zero, S'|[e]( 7 i = S'|e |(72 = 

( 0 ,nof). 

The execution of Si continues as follows. 

(while(„j) (e) {S(}, mi(ai)) 

= (while(„^)(( 0 , 7 ;of)) {S(}, mi(( 7 i)) 
by the rule EEvaT 
-s-(while(„j)( 0 ) {S(},mi(CTi)) 
by the E-Oflowl or E-Oiiow 2 rule 
—>'(skip, mi(( 7 i)) by the Wh-F rule. 

Similarly, the execution of S2 gets to the configuration (skip, m2{o2)). 
Loop counters of Si and S2 are less than 1 and value stores 
agree on values of used/defined variables in both Si and S2 
as well as the input sequence variable and the I/O sequence 
variable. 

3 . The evaluation of e reduces to the same nonzero integer value, 
S'|el(7i =S'|el(72 = (0,nof). 

Then the execution of Si proceeds as follows: 

(while(„^)(e) {S(},mi(ai)) 

= (while(„^) ((w, Vof)) {S(}, mi(( 7 i)) 
by the rule EEvaT 
-s-(while(„j) (n) {S(}, mi(ai)) 
by the E-Otlowl or E-Oflow 2 rule 
-s-(S(; while(„j)(e) {S(},mi( 

loop), U {(tii) I—>■ 1 }, ( 7 i)) by the Wh-T rule. 

Similarly, the execution of S2 proceeds to the configuration 
(S2; while(„2) (e) {SA, m2(loop) U {712 1 }, <72)). 

By the hypothesis IH, we show that Si and S2 terminate in 
the same way and produce the same output sequence when 
started in the state mi(loop)i, ci) and m2(loop)i, 172), and 

51 and S2 have equivalent computation of variables used or 
defined in both statement sequences if both terminate. We need 
to show that all conditions are satisfied for the application of the 
hypothesis IH. 

• variables in the domain of p are not redefined in the execu¬ 
tion of S2. 

The above three conditions are by assumption. 

By definition, size(Si) = 1 -T size(Si). Then, size(Si) -T 
size(S 2 ) = fc-Tl — 2 = fc — 1 . 

• Value stores ai and <72 agree on values of used variables in 
Si and S2 as well as the input, I/O sequence variable. 

By definition, OVar(Si) C OVar(Si). So are the cases 
to S2 and S2. In addition, value stores ai and <72 are not 
changed in the evaluation of the predicate expression e. The 
condition holds. 

• Values of new configuration variables are consistent in the 
value store 02 and the specialization p, Vid G Dom(p) : 

(J2{id) = p{id). 

By assumption. 

By assumption, S) and S2 terminate in the same way and 
produce the same output sequence when started in states 
mi(loop(,, ( 7 i) and m2(loop(,, 02). In addition, S'l and S2 have 
equivalent computation of variables used or defined in S) and 

52 when started in states mi(loop(,, ai) and m2(loop(,, 02). 

Then there are two cases. 
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(a) S[ and S2 both do not terminate and produce the same 
output sequence. 

By Lemma IE . 21 S [; and S2 ; S2 both do not terminate 
and produce the same output sequence. 

(h) S'l and S2 both terminate and have equivalent computation 
of variables used or defined in S'l and S2- 
By assumption, (S'l, mi(loop^, ai)) A- (skip, m[{\oop”, a'l)); 
(S2, m2(loop(,, 0-2)) A (skip, m2(loop", (T2)) where \fx € 
(OVar(Sl) n OVar(S2)) U {idi, idio}, o-[{x) = 0-2(0;). 
Because Si and S2 have the same predicate expression, 
variables used in the predicate expression of Si and S2 
are not in the domain of p. By assumption, OVar(Si) C 
OVar(S2) C OVar(S2) U Dom(p) and OVar(S 0 C 
OVar(S2). Then variables used in the predicate expression 
of Si and S2 are either in variables used or defined in both 
Si and S2 or not. Therefore value stores 0-2 and a'l agree 
on values of variables used in the expression e and even 
variables used or defined in Si and S2. 

Induction step on iterations 

The induction hypothesis (IH) is that, when i > 1 , one of the 
following holds: 

1 . Loop counters for Si and S2 are always less than i if any is 
present, Vm'i(loop), ) m2(loop^ ) : (Si, mi(loop), tri)) A 
(S", m'l(loop) )), loop) (m) < i, (S2,m2(loop),(j2)) A 
(S2,m2(loop) )),loop) (712) < i, Si and S2 terminate in 
the same way, produce the same output sequence, and have 
equivalent computation of used/defined variables in both Si 
and S2 and the input sequence variable, the I/O sequence vari¬ 
able, (Si, mi) =H (S2,m2) and (Si, mi) =0 (S2,m2) and 
Vx e (OVar(Si) n OVar(S2)) U {id_r,id_ro} ■ (Si, mi) =x 
(S2, m2); 

2 . The loop counter of Si and S2 are of value less than or equal to 

i, and there are no reachable configurations (Si, mi (loop)*, cri^)) 
from (Si,mi(cri)), (S2, m2(loop)% (72.)) from (S2, m2(cr2)) 
where all of the following hold: 

• The loop counters of Si and S2 are of value i, loop)* (ni) 

= loop)* (712) = i- 

• Value stores ai^ and 0-2^ agree on values of used variables 
in both Si and S2 as well as the input sequence variable and 
the I/O sequence variable, Va; G (OVar(Si) n OVar(S2)) U 
{idi,idio} ■ cri-(a:) = cr2i(2:). 

3 . There are reachable configurations (Si, mi (loop)*, (ti^)) from 
(Si, mi(cri)), (S2,m2(loop)*,cr2j) from (S2, m2(0-2)) where 
all of the following hold: 

• The loop counter of Si and S2 are of value i, loop)*(ni) 

= loop)* (772) = i. 

• Value stores ai^ and 0-2^ agree on values of used variables 
in both Si and S2 as well as the input sequence variable and 
the I/O sequence variable, Mx G (OVar(Si) n OVar(S2)) U 
{idi,idio} ■ cr-i_^{x) = (72i{x). 

Then we show that, when i + 1 , one of the following holds: The 
induction hypothesis (IH) is that, when i > 1 , one of the following 
holds: 

1 . Loop counters for Si and S2 are always less than i + 1 if any 
is present, Vm'i (loop) ) m2 (loop) ) : (Si, mi (loop), cri))—7 
(S",m'i(loop) )),loop) (m) < i- 1 - 1 , (S2,m2(loop),cr2)) A 
(S2,m2(loop) )),loop) (712) < 7 + 1 , Si and S2 terminate 
in the same way, produce the same output sequence, and have 
equivalent computation of used/defined variables in both Si and 
S2 and the input sequence variable, the I/O sequence variable. 


(Si, mi) =H (82, m2) and (Si, mi) =0 (S2,m2) and 
Vx G (OVar(Si) n OVar(S2)) U {id/, idjo} : (Si, mi) =2, 

(S2, m2); 

2 . The loop counter of Si and S2 are of value less than or 
equal to i -|- 1 , and there are no reachable configurations 

(Si, mi(loop)*+i,cri.^J) from (Si, mi((Ti)), (S2, m2(loop)*+i,cr2i_^i)) 
from (S2, m2 (0-2)) where all of the following hold: 

• The loop counters of Si and S2 are of value i- 1 - 1 , 
loop)*+* (m) = loop)*+* (712) = i -I- 1 . 

• Value stores fri^^i and (T2 i_ii agree on values of used vari¬ 
ables in both Si and S2 as well as the input sequence vari¬ 
able and the I/O sequence variable, Vx G (OVar(Si) n 
OVar(S2)) U {id/,id/o} : (Tu+iix) = a2i^^{x). 

3 . There are reachable configurations (Si,mi(loop)*+*, cti.)) 
from (Si, mi(cri)), (S2, m2(loop)*+i, 02 ^)) from (S2, m2(0-2)) 
where all of the following hold: 

• The loop counter of Si and S2 are of value i, loop)*+* (771) 

= loop)*+i (772) = i -I- 1 . 

• Value stores and agree on values of used vari¬ 

ables in both Si and S2 as well as the input sequence vari¬ 
able and the I/O sequence variable, Vx G (OVar(Si) 0 
OVar(S2)) U {id/,id/o} : cri._^i (x) = cr2._^i (x). 


1 . Loop counters for Si and S2 are always less than i if any is 
present, Vm'i (loop) ) m2 (loop) ) : (Si, mi (loop), ai)) A 
(Si ,m'i(loop) )), loop) (m) < i, (S2, m2(loop), 0-2)) A 
(S2,m2(loop) )),loop) (772) < i. Si and S2 terminate in 
the same way, produce the same output sequence, and have 
equivalent computation of used/defined variables in both Si 
and S2 and the input sequence variable, the I/O sequence vari¬ 
able, (Si,mi) =H (S2,m2) and (Si,mi) =0 (S2,m2) and 
Vx G (OVar(Si) n OVar(S2)) U {id/,id/o} : (Si, mi) =2, 
(S 2 ,m 2 ); 

2 . The loop counter of Si and S2 are of value less than or equal to 

i, and there are no reachable configurations (Si, mi (loop)*, cri^)) 
from (Si,mi((Ti)), (S2, m2(loop)*, cr2j) from (S2, m2(0-2)) 
where all of the following hold: 

• The loop counters of Si and S2 are of value i, loop)* (771) 

= loop)* (772) = i. 

• Value stores ai^ and a2^ agree on values of used variables in 
both Si and S2 as well as the input sequence variable, and 
the I/O sequence variable, Vx G (OVar(Si) n OVar(S2)) U 
{idi,idio} : (Ji-(x) = 0-2^ (x). 


When there are reachable configurations (Si, mi (loop)*, cti^)) 
from (Si,mi(cri)), (S2, m2(loop)*, ( 72 -)) from (S2, m 2 (( 72 )) 
where all of the following hold: 

• The loop counter of Si and S2 are of value i, loop)* (771) 
= loop)* (772) = i. 

• The loop counter of Si and S2 are of value i, loop)* (771) 
= loop)* (772) = 7 . 

• Value stores cti^ and CT2i agree on values of used variables in 
both Si and S2 as well as the input sequence variable and 
the I/O sequence variable, Vx G (OVar(Si) n OVar(S2)) U 
{idi,idio} : (7i.(x) = CT 2 i(x). 

By similar argument in base case, we have one of the following 
holds: 

1 . Loop counters for Si and S2 are always less than 7 -|- 1 if any 
is present, Vm'i (loop) ) m2 (loop) ) : (Si, mi (loop), cti)) A 


By hypothesis IH, there is no configuration where loop counters 
of Si and S2 are of value 7 -|- 1 when any of the following holds: 
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1 : enumidjoi} 

2: a : enum id 
3 : If (a == oi) then 
4: output 2 + c 

5 : 

6 : 

old 


1 ’: enum id {oi, 02} 
2’: a : enum id 
3 ’: If (a == 01) then 
4’: output 2 + c 

5 ’: If (a == 02) then 
6’: output 3 + c 

new 


Figure 16 : Enumeration type extension 


(Si ,m'i(loop^ )),loopJ (m) < i+ 1 , (S2,m2(loop^,CT2)) A 
(SAt«2(loop^ )),loop^ (712) < i + 1, Si and S2 terminate 
in the same way, produce the same output sequence, and have 
equivalent computation of used/defined variables in both Si and 
S2 and the input sequence variable, the I/O sequence variable, 
(Si,mi) =H (S2,m2) and (Si,mi) =0 (82,m2} and 
Va: G (OVar(Si) n OVar(S2)) U {id/, id/o} : (Si, mi) =2, 
(S 2 ,m 2 ); 

2 . The loop counter of Si and S2 are of value less than or 
equal to i + 1 , and there are no reachable conhgurations 
(Si, mi(loop):‘+i, (Tii+i)) from (Si, mi(ai)), (S2, m2(loop^'+i, 
craj+i)) from (S2, m2 (0-2)) where all of the following hold: 

• The loop counters of Si and S2 are of value i, loopJ‘+i (m) 

= loop^‘+i(n 2 ) = i. 

• Value stores cri^^i and (72^^^ agree on values of used vari¬ 
ables in both Si and S2 as well as the input sequence vari¬ 
able and the I/O sequence variable, \/x G (OVar(Si) IT 
OVar(S2)) U {id/+i,id/o} : cri._^ Ja;) = CT2i+i (a:)- 

3 . There are reachable configurations (Si, mi(loop),*+'^, )) 

from (Si,mi((Ji)), (S2, m2(loop^’+i, cr2i+i)) from (S2, 
m2(<72)) where all of the following hold: 

• The loop counter of Si and S2 are of value i, loop);‘+i (ni) 

= loop^‘+i(n2) = i -I- 1. 

• Value stores crij^i and <72^_f_i agree on values of used vari¬ 

ables in both Si and S2 as well as the input sequence vari¬ 
able and the I/O sequence variable, Vx G (OVar(Si) IT 
OVar(S2)) U {id/+i,id/o} : cri._^^(a;) = (a;). 


□ 


6.2 Proof rule for enumeration type extension 

Enumeration types allow developers to list similar items. New code 
is usually accompanied with the introduction of new enumeration 
labels. Figure [ 16 ] shows an example of the update. The new enum 
label 02 gives a new option for matching the value of the variable a, 
which introduce the new code 6 := 3 -I- c. To show updates “enu¬ 
meration type extension” to be backward compatible, we assume 
that values of enum variables, used in the If-predicate introducing 
the new code, are only from inputs that cannot be translated to new 
enum labels. 

In order to have a general dehnition of the update class, we show 
a relation between two sequences of enumeration type definitions, 
called proper subset. 

Definition 26 . (Extension relation of enumeration types) Let 

ENi , EN2 be two different sequences of enumeration type defini¬ 
tions. ENi is a subset of EN2, written ENi C EN2, iff one of the 
following holds: 

1 . ENi = “enumid{eli}’\EN2 = ‘^enumid{el2y^ where la¬ 
bels in type “enum id” in ENi are a subset of those in EN2, 
eh = eh, el and el f - 0 ; 


2 . ENi , EN2 include more than one enumeration type definitions 
ENi = “enum id {eh}, EN }”, EN2 = “enum id {eh}, EN'2 ” 
where one of the following holds: 

(a) {EN'i C EN2) and {eh = eh) V {eh = eZi, el); 

(b) {EN[ C EN2) V {EN[ = EN2) and “enumid{ehy’ C 
“enum id {eh}'’■ 

Definition 27 . (Enumeration type extension) Let Pi , P2 be two 

programs where enumeration type definitions ENi in Pi are a 
subset of EN2 in P2, ENi C EN2 and E are new enum labels 
in P2. A statement sequence S2 in a program P2 includes updates 
of enumeration type extension compared with a statement sequence 
Si in Pi, written S2 A, iff one of the following holds: 

1 . S2 = “lf{id==l) then{S2} else{S2}" and all of the following 
hold: 

• l€ E; 

• The variable id is not lvalue in an assignment statement, 

“id := e” ^ P2; 

• si «| 5i; 

2. Si = “If{e)then{Sl}else{S(}”,S2 = “Iffe) then{S^2} else{Si}” 
w/rere ( 5 ^ «| S{) A (Sj^^fs/); 

3 . Si = “while{e) {S'l}”, S2 = (e) {'S'2}” where 

Q' Q/ . 

4 . Si «g S2: 

5 . Si = S'); Si and S2 = S^, S2 where {S'2 ~| S{) A {S'2 
S'l) A (Va: G Imp{si,idio) U Imp{si,idio) ■ {S2 
^1)) A (S2 Sl). 

We show that two programs terminate in the same way, produce 
the same output sequence, and have equivalent computation of 
variables defined in both of them in executions if there are updates 
of enumeration type extension between them. 

Lemma 6 . 4 . Let Si and S2 be two statement sequences in pro¬ 
grams Pi and P2 respectively where there are updates of enumera¬ 
tion type extensions in S2 0/P2 compared with Si of Pi, S2 Si. 

If Sl and S2 start in states mi{ai) and m2{(72) such that both of 
the following hold: 

• Value stores ai and 02 agree on values of output deciding vari¬ 
ables in both Sl and S2 including the input sequence variable 
and the I/O sequence variable, Vx G (OVhr(S'i) UOV'ar(S'2)) U 
{idi,idio} : cri(x) = cr2(x),- 

• No variables used in S2 ore of initial value of enum labels in 
E, Vx G Use{S2) : {(72{x) i E); 

• No inputs are translated to any label in E during the execution 
0/S2; 

then Sl and S2 terminate in the same way, produce the same output 
sequence, and when Si and S2 both terminate, they have equivalent 
computation of used variables and defined variables, 

• (S'l, mi) =H (S2, m2); 

• (Sl, mi) =0 (S2, m2); 

• Vx G OVar{Si) U OVar{S2) : (Si, mi) =2, (S2,m2); 

Proof. By induction on the sum of the program size of Si and S2, 
size(Si) -I- size(Si). 

Base case. Si is a simple statement s, and S2 = “lf{id==l) then{s2 } 
elsejsj}” where all of the following hold: 

• IG E; 

• S2, S2 are two simple statements; 

f 

• Sj = s; 
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We informally argue that the value of the variable id in the 
predicate expression of S 2 only coming from an input value or 
the initial value. There are three ways a scalar variable is defined: 
the execution of an assignment statement, the execution of an 
input statement or the initial value. Because id is not lvalue in 
an assignment statement, then the value of id is only from the 
execution of an input statement or the initial value. 

In addition, by assumption, any output deciding variable is not 
of the initial value of enum label in S; no input values are translated 
into an enum label in E. Then the execution of S 2 proceeds as 
follows: 

{lf{id==l) then{s2} elselsj}, m2{a2)) 

—>-(^(0) then{s 2 } else{s|}, m 2 (cr 2 )) 
by the rule Eq-F 
—^(s 2 , m, 2 (cr 2 )) by the If-F rule. 

The value store (T 2 is not updated in the execution of S 2 so far. 

By assumption, value stores (ti and <J 2 agree on values of output 
deciding variables in both Si and S 2 - 

By Theorem and [4] and S 2 terminate in the same way, 
produce the same I/O sequence. The lemma holds. 

Induction step. 

The hypothesis is that this lemma holds when the sum k of the 
program size of and S 2 are great than or equal to 4, fc > 4. 

We then show that this lemma holds when the sum of the 
program size of Si and 52 is A: + 1. There are cases regarding 
52«|5 i. 

1. 5i and S 2 are both “If’ statement: 

5i = “If(e)then{5j}else{5/}”,52 = “If(e) then{5^} else{5|}” 
where both of the following hold 

• 5|«|5/; 

By the definition of Imp^(5i), variables used in the predicate 
expression e are a subset of output deciding variables in 5i 
and S 2 , Use(e) C OVar(5i) PI OVar(52). By assumption, 
corresponding variables used in e are of same value in value 
stores (Ti and < 72 . By Lemma IDT] the expression evaluates to 
the same value w.r.t value stores ai and <J 2 - There are three 
possibilities. 

(a) The evaluation of e crashes, 5'|e]|cri = 5'|e]|cr2 = 

(error, Vof). 

The execution of 5i continues as follows: 

(If(e) then{5i} else{5/}, mi{cn)) 

—^(If((error, Uof)) then{55} else{5j }, mi (cri)) 
by the rule EEvaf 

—>-(^(0) then{5j} else{5/}, mi(l/f)) 
by the ECrash rule 

A(lf(0) then{5(} else{5i }, mi(l/f)) for any i > 0 
by the Crash rule. 

Similarly, the execution of S 2 started from the state m 2 ((T 2 ) 
crashes. The lemma holds. 

(b) The evaluation of e reduces to zero, f'lelfri = 5^|e]|(T2 = 

(0,u„f). 

The execution of Si continues as follows. 

(If(e) then{5i} else{5/}, mi{ai)) 

= (lf((0, Vof)) then{5(:} else{5/}, mi(cri)) 
by the rule EEvaf 

—^(If(0) then{5j} else{5/}, mi(cri)) 
by the E-Oflowl or E-Oflow2 rule 
-^{S(,mi{ai)) by the If-F rule. 

Similarly, the execution of S 2 gets to the configuration 
(5|,m2(cr2)). 


By the hypothesis IH, we show the lemma holds. We need 
to show that all conditions are satisfied for the application 
of the hypothesis IH. 

• 5 |«| 5 / 

By assumption. 

• The sum of the program size of S( and 5| is less than 
k, size(5{) -I- size(5|) < k. 

By definition, size(5i) = l+size(5i)+size(5/). Then, 
size(5/) -|- size(5|) <A: + 1 — 2 = fc — 1. 

• Value stores cri and <72 agree on values of output de¬ 
ciding variables in S( and 5| including the input, I/O 
sequence variable. 

By definition, OVar(5/) C OVar(5i). So are the cases 
to si and S 2 ■ In addition, value stores ai and <72 are not 
changed in the evaluation of the predicate expression e. 
The condition holds. 

• There are no inputs translated to enum labels in E in 
5|’s execution. 

By assumption. 

By the hypothesis IH, the lemma holds. 

(c) The evaluation of e reduces to the same nonzero integer 
value, 5'|[e|(7i = 5'|[e|(72 = (0, Uof). 

By similar to the second subcase above. 

2. 5i and S 2 are both “while” statements: 

5i = “while(„j)(e) {5(}”, S 2 = “while(„ 2 )(e) { 52 }” where 

Q> Qf . 

02~£;0i, 

By Lemma|6j6l we show the lemma holds. We need to show all 
the required conditions for the application of Lemma Ifi^ holds 

(a) No variables are of initial values as new enum labels in E\ 

(b) Value stores ai and <72 agree on values of variables used in 
both 5i and S 2 ', 

(c) Enumeration types in Pi are a subset of those in P 2 ; 

The above three conditions are by assumption. 

(d) The output deciding variables in S'l are a subset of those in 
S' 2 ; 

The above condition is by Lemma [63] 

(e) S'l and S '2 produce the same output sequence, terminate in 
the same way and have equivalent computation of defined 
variables in both S'l and S '2 when started in states agreeing 
on values of variables used in both S'l and 5^; 

Because size(5i) = size(5i) -I- 1, then the condition holds 
by the induction hypothesis. 

By Lemma [6(6l the lemma holds. 

3. 52 = ‘Tf(id==/) then { 52 } else {52 }” such that both of the 
following hold: 

• The label / is in S, Z G E\ 

• The variable id is not lvalue in an assignment statement, 
J“id := e” in S 2 ', 

• There are updates of enumeration type extension from 5| 
to 5 i,52^«|5i; 

By Lemma lfi^ we show this lemma holds. We need to show all 
the conditions are satisfied for the application of Lemma |6(^ 

• 5i and S '2 have same set of output deciding variables, 
OVar(5{) = OVar(5^) = OVar(5); 

• The output deciding variables in 5i are a subset of those in 
S' 2 , 0Var(5{) C OVar(5^); 

By Lemma l63] 

• There are no inputs translated to enum labels in the set E. 
By assumption. 

• When started in states m{((7{), m2(f7{) where value stores 
(t'i and ij '2 agree on values of output deciding variables in 
both 5i and S '2 as well as the input sequence variable and 
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the I/O sequence variable, and there are no inputs translated 
to enum labels in E, then S'l and S2 produce the same 
output sequence. 

By the induction hypothesis IH. This is because the sum of 
the program size of Si and S2 is less than k. By definition, 
size(Si) = 1 + size(S(). 

4 . S2 = “If(ici==Z) then {S2} else {S2}” such that both of the 
following hold: 

• The label I is in E, I € E\ 

• The variable id is not lvalue in an assignment statement, 
“id e” ^ S2; 

• There are updates of enumeration type extension from S| 
to Si, S|«|Si; 

We informally argue that the value of the variable id in the pred¬ 
icate expression of S2 only coming from an input value or the 
initial value. There are several ways a scalar variable is defined: 
the execution of an assignment statement, the execution of an 
input statement or the initial value. Because id is not lvalue in 
an assignment statement, then the value of id is only from the 
execution of an input statement or initial value. In addition, by 
assumption, any used variable is not of initial value of enum 
label in i?; no input values are translated into an enum label in 
E. 

Then the expression id==l evaluates to 0 . The execution of S2 
proceeds as follows. 

(If(id==l) then{S2} else{S'|}, 7712(0-2)) 

—^(If( 7 ;==Z) then{S 2 } elsejSl} , 7772(02)) where v ^ I 
by the rule Var 

— 7 (If( 0 ) thenlS^} else{ 5 |}, 7771(02)) 
by the Eq-F rule 

— 7 ( 5 |, 7772(0-2)) by the If-F rule. 

By the hypothesis IH, we show the lemma holds. We need 
to show the conditions are satisfied for the application of the 
hypothesis IH. 

• There are no inputs translated to enum labels in J 5 in Sl’s 
execution. 

• Initial values of used variables in S2 are not enum labels in 

E. 

The above three conditions are by assumption. 

• The sum of the program size of S'l and Sl is less than k, 
size(Si) + size(S2 ) < k. 

By definition, size(Si) = 1 + size(Si) + size(S/). Then, 
size(Si) + size(S|) < A: + 1 — 1 — size(S2) < k. 

• Value stores 0-1 and 0-2 agree on values of used variables in 
both Si and Sj as well as the input, FO sequence variable. 
By definition, OVar(S|) C OVar(S2). In addition, value 
stores (Ji and <72 are not changed in the evaluation of the 
predicate expression e. The condition holds. 

By the hypothesis IH, this lemma holds. 

5 . Si = Sj; Si and S2 = S2; S2 such that both of the following 
hold: 

• S2 ~E S'l', 

• S2 ~E Sli 

By the hypothesis IH, we show S2 and S[ terminate in the same 
way, produce the same output sequence, and have equivalent 
computation of defined variables in Si and S2. We need to 
show that all the conditions are satisfied for the application of 
the hypothesis IH. 

• S^«|S(; 


• There are no inputs translated to enum labels in E in S^’s 
execution. 

• Initial values of used variables in S 2 are not enum labels in 
E. 

The above three conditions are by assumption. 

• The sum of the program size of Sj and S 2 is less than k, 
size(S() + size(S 2 ) < k. 

By definition, size(Si) = size(Si) + size(si). Then, 
size(Si) + size(S2) < fe + 1 — size(s2) — size(si) < k. 

• Value stores cri and 0-2 agree on values of used variables in 
both S[ and S 2 as well as the input, output, I/O sequence 
variable. 

By definition, OVar(52) C OVar(52), OVar(5'() C OVar(5'i). 
In addition, value stores cri and 0-2 are not changed in 
the evaluation of the predicate expression e. The condition 
holds. 

By the hypothesis IH, one of the following holds: 

(a) S'l and S '2 both do not terminate. 

By Lemma rE.2l executions of Si = 5i;si and S 2 = 

S' 2 ; S 2 both do not terminate and produce the same output 
sequence. 

(b) Si and S '2 both terminate. 

By assumption, (S2,7712(0-2)) A (skip, 7772(0-2)), (S(, 7711(0-1)) 

(skip, 777'i(CTl)). 

By Corollary |ET] (S 2 ; S 2 , 7772 ( 0 - 2 )) A ( 52 , 7112 ( 0 - 2 )), 
(S(;si, 7771 ( 0 - 1 )) A (si, 777'i(o-()). 

By the hypothesis IH, we show that S 2 and si terminate 
in the same way, produce the same output sequence and 
when S 2 and si both terminate, S 2 and si have equivalent 
computation of variables used or defined in si and S 2 and 
the input, output, and I/O sequence variables. 

We need to show that all conditions are satisfied for the 
application of the hypothesis IH. 

• There are updates of “enumeration type extension” be¬ 
tween 52 and 51; 

• There are no input values translated into enum labels in 
E in the execution of S 2 ; 

The above two conditions are by assumption. 

• The sum of the program size 52 and si is less than or 
equals to k\ 

By definition, size(S2) > l,size( 5 'i) > 1 . Therefore, 
size(s2)-f size( 5 i) < fc-l -1 — size( 52 ) — size( 5 i) < k. 

• Value stores a'l and (j '2 agree on values of used variables 
in 52 and si as well as the input, output, I/O sequence 
variable. 

By Lemma 1631 OVar(si) C OVar(52), then OVar(52) 
n OVar(5i) = OVar(5i). Similarly, by Lemma 1631 
OVar(S'() C OVar(S' 2 ). For any variable id in OVar(si), 
if id is not in OVar(5i), then the value of id is not 
changed in the execution of S'l and S 2 , (j'i{id) = 
ai(id) = (72(id) = a' 2 {id). Otherwise, the variable id 
is defined in the execution of S'l and S 2 , by assumption, 
CTi(id) = CT 2 (id). The condition holds. 

• Values of used variables in S 2 are not of value as enum 
labels in E, \lid G OVar(s 2 ) : cr' 2 {id) G E. 

By assumption, initial values of used variables in S 2 
are not of values as enum labels in E. S '2 and S'l have 
equivalent computation of defined variables in S '2 and 
S'l - Because enum labels are not defined in Pi, defined 
variables in the execution of S 2 and Si are not of values 
as enum labels in E. 

By the hypothesis IH, the lemma holds. 

□ 
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We show a auxiliary lemma telling that the two programs with 
updates of enumeration type extension have same set of used vari¬ 
ables and the same set of defined variables. 

Lemma 6.5. If there are updates of enumeration type extension 
in a statement sequence S2 against a statement sequence S\, 
S2 ~eSi, then the output deciding variables in Si are a subset 
of those in S2, OVar(Si) C OVar{S2). 

Proof. By induction on the sum of the program size of Si and 

S2. □ 

Lemma 6.6. Let Si = while {S'!} and S2 = while^„^^ (e) 
{S'2} be two loop statements in programs Pi and P2 respectively 
where all of the following hold: 

• Enumeration types ENi in Pi are a proper subset of EN2 in 
P2, ENi C EN2, such that there are a set of enum labels E 
only defined in P2; 

• When started in states agreeing on values of output deciding 
variables in both S'l and S2 as well as the input sequence 
variable and the I/O sequence variable, initial values of used 
variables in S2 are not enum labels in E, and there are no 
inputs in S2’s execution translated into any label in E, Vx € 
OVar{S'i){J{idi,idio}yrni{ai) 7712(02) : cti(x) = CT2(x), 
and S'l and S2 terminate in the same way, produce the same 
output sequence, and have equivalent computation of defined 
variables in Si and S2 as well as the input sequence variable 
and the I/O sequence variable ((Si,mi) =h (82,7712)) A 
((S'l,mi) =0 (S'2,m2)) A (Vx e OVar(Si) U OVar(S2) U 
{idi,idio} '■ 

(S'l,mi) (S2,m2)); 

If Si and S2 start in states mi(loop\,(Ji),m2(loop^^,a2), with 
loop counters of Si and S2 not initialized (Si, S2 have not executed 
yet), value stores agree on values of output deciding variables in 
Si and S2 as well as the input sequence variable, the I/O sequence 
variable, initial values of used variables in S2 are not of values as 
enum labels in E, no inputs are translated into enum labels in E, 
then, for any positive integer i, one of the following holds: 

1. Loop counters for Si and S2 are always less than i if any is 
present, ym'i(loopl, ) m'2(loop^ ) : (Si,mi(loop],, ai)) A 
(S'l ,m'i(loopl)),loopl (ni) < i, (S2,m2(loopl, a2)) A 
(S2 ,m'2(loop^ )),loop^ (712) < i. Si and S2 terminate in the 
same way, produce the same output sequence, and have equiv¬ 
alent computation of output deciding variables in both Si and 
S2 and the input sequence variable, the I/O sequence vari¬ 
able, (Si, mi) =H (S2, m2) and (Si, mi) =0 (S2,m2) and 
Vx G (OVar(Si) U OVar(S2)) U {idi,idio} '■ (Si, mi) =x 
(S 2 ,m 2 ): 

2 . The loop counter of Si and S2 are of value less than or equal to 

i, and there are no reachable configurations (Si, mi (loop)/, oi^)) 
from (Si,mi(ai)), (S2, m2(loop)/ , a2i)) from (S2, m2((T2)) 
where all of the following hold: 

• The loop counters of Si and S2 are of value i, loopf(ni) 

= loop)/ (712) = i. 

• Value stores ai^ and 02^ agree on values of output deciding 
variables in both Si and S2 as well as the input sequence 
variable and the I/O sequence variable, Vx G (OVar(Si) n 
0Var(S2))0 {idi,idio} '■ C 7 i.(x) = a2^(x). 

3 . There are reachable configurations (Si,mi(loopf ,01^)) from 
(Si,mi(ai)), (S2,m2(loop)\a2i))from (S2, m2((72)) w/iere 
all of the following hold: 

• The loop counter of Si and S2 are of value i, loop)' (ni) 

= loop)' (712) = i. 


• Value stores ai^ and 02, agree on values of output deciding 
variables in both Si and S2 as well as the input sequence 
variable and the I/O sequence variable, Vx G (OVar(Si) Pi 
0Var(S2))0 {idi,idio} ■ ai.(x) = a2.(x). 

Proof. By induction on i. 

Base case. 

We show that, when i = 1 , one of the following holds: 

1 . Loop counters for Si and S2 are always less than 1 if any is 
present, Vm'i (loop), ) m2 (loop^ ) : (Si, mi (loop), ai)) A 
(Si ,m'i(loop) )), loop) (m) < i, (S2, m2(loop), 0-2)) A 
(S2, m'2(loop) )),loop) (712) < i. Si and S2 terminate in 
the same way, produce the same output sequence, and have 
equivalent computation of defined variables in both Si and 
S2 and the input sequence variable, the I/O sequence variable, 
(Si,mi) =H (S2,m2) and (Si,mi) =0 (S2,m2) andVx G 
(Def(Si)nDef(S2))U{id/,*Ao} : (Si,mi)=,c (S2,m2); 

2 . Loop counters of Si and S2 are of value less than or equal to 1 
but there are no reachable configurations (Si, mi (loop)^, ai.)) 
from (Si, mi(cri)), (S2, m2(loop)i, cr2j) from (S2, m2(cf2)) 
where all of the following hold: 

• The loop counter of Si and S2 are of value 1 , loop)i(ni) 
= loop)i (712) = 1 . 

• Value stores ai^ and (J2i agree on values of used variables 
in both Si and S2 as well as the input sequence variable, and 
the I/O sequence variable, Vx G (Use(Si) O Use(S2)) U 
{idi,idio} ■■ crii(x) = o-2i(x). 

3 . There are reachable configuration (Si, mi(loop)i, ai.)) from 
(Si, mi(cri)), (S2, m2(loop)i, (T2J) from (S2, m2(0-2)) where 
all of the following hold: 

• The loop counter of Si and S2 are of value 1 , loop)i(ni) 
= loop)i (712) = 1 . 

• Value stores ai^ and (J2i agree on values of used variables 
in both Si and S2 as well as the input sequence variable, and 
the I/O sequence variable, Vx G (Use(Si) n Use(S2)) U 
{idi,idio} : crij (x) = (T2 i (x). 

By definition, variables used in the predicate expression e of Si 
and S2 are used in Si and S2, Use(e) C Use(Si) n Use(S2). By 
assumption, value stores cri and 02 agree on values of variables in 
Use(e), the predicate expression e evaluates to the same value w.r.t 
value stores cri and (J2 by Lemma lD(^ There are three possibilities. 

1 . The evaluation of e crashes, 

S'|e|(Ji = S'|e|cr2 = (error, Xof). 

The execution of Si continues as follows: 

(while(„j)(e) {S(},mi(ai)) 

-s-(while<„^) ((error, Vof)) {S(}, mi(c 7 i)) 
by the rule EEvaT 
-s-(while(„^)( 0 ) {S(},mi(l/f)) 
by the ECrash rule 

A(while(„^)( 0 ) {S(},mi(l/f)) for any / > 0 
by the Crash rule. 

Similarly, the execution of S2 started from the state m2(02) 
crashes. Therefore Si and S2 terminate in the same way when 
started from mi and m2 respectively. Because ai(idio) = 
O2(idio), the lemma holds. 

2 . The evaluation of e reduces to zero, S'JeJai = f’'|e|(J2 = 

( 0 ,Wf). 

The execution of Si continues as follows. 
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(while(„j) (e) {S[}, mi(ai)) 

= (while(„^)((0, Vof)) {S(},mi(ai)) 
by the rule EEval’ 

-)-(while<„j)( 0 ) {S'J},mi(cri)) 
by the E-Oflowl or E-Oflow 2 rule 
—>'(skip, mi((Ti)) by the Wh-F rule. 

Similarly, the execution of S2 gets to the configuration (skip, 
m2(0-2)). Loop counters of and S2 are less than 1 and value 
stores agree on values of used/defined variables in both Si and 
S2 as well as the input sequence variable, and the I/O sequence 
variable. 

3 . The evaluation of e reduces to the same nonzero integer value, 
S'lelcri =S'le\cj2 = (0,uof). 

Then the execution of Si proceeds as follows: 

(while(„j) (e) {S(}, m\{cj\)) 

= (while(„^)((u,-y„f)) {S(}, mi(cri)) 
by the rule EEvaT 
-s-(while(„^) (v) {S(}, mi(ai)) 
by the E-Oflowl or E-Ofiow 2 rule 
-^■(Sj; while(„j) (e) {S(}, mi( 

loop^[l/ni], (Ji)) by the Wh-T rule. 

Similarly, the execution of S2 proceeds to the configuration 
(S2; while(„ 2 )(e) {S2}, m 2 (loop^[l/ni], <72)). 

By the assumption, we show that S'l and S2 terminate in the 
same way and produce the same output sequence when started 
in the state mi(loop^'^, cri) and m2(loop^i, CT2) respectively, 
and Si and S2 have equivalent computation of variables defined 
in both statement sequences if both terminate. We need to 
show that all conditions are satisfied for the application of the 
assumption. 

• There are no inputs translated into enum labels in E in the 
execution of S2. 

The above condition is by assumption. 

• Initial values of used variables in S2 are not enum labels in 

E. 

By the definition of used variables, Use(S2) L Use(S2). 

By assumption, initial values of used variables in S2 are not 
enum labels in E. The condition holds. 

• Value stores ci and <72 agree on values of used variables 
in S[ and S2 as well as the input, output, I/O sequence 
variable. 

By definition, Use(S'i) C Use(S'i). So are the cases to 
S2 and 82- In addition, value stores ai and <72 are not 
changed in the evaluation of the predicate expression e. The 
condition holds. 

By assumption, S[ and S2 terminate in the same way and 
produce the same output sequence when started in states 
mi(loop(,, (71) and m2(loop(,, (72). In addition, S'l and S2 have 
equivalent computation of variables used or defined in S[ and 
S2 when started in states mi(loop(,, ai) and m2(loop(,, (72). 

Then there are two cases. 

(a) S[ and S2 both do not terminate and produce the same 
output sequence. 

By Lemma IE .21 Si; Si and S2; S2 both do not terminate 
and produce the same output sequence. 

(b) Si and S2 both terminate and have equivalent computation 
of variables defined in SJ and S2. 

By assumption, (Sj, mi(loop(,, ( 7 i)) —>■ (skip, m'i(loop”, ( 7 ()); 
(S2, m2(loop(,, (72)) A (skip, m2(loop", (72)) where \fx € 
(Def(Si) n Def(S2)) U {idi, idio}, ( 7 i(a;) = (72(1). 

By assumption,Use(Si) C Use(S2) and Def(Si) = 
Def(S2). Then variables used in the predicate expression 


of Si and S2 are either in variables used or defined in both 
Si and S2 or not. Therefore value stores (72 and agree 
on values of variables used in the expression e and even 
variables used or defined in Si and S2. 

Induction step on iterations 

The induction hypothesis (IH) is that, when i > 1 , one of the 
following holds: 

1. Loop counters for Si and S2 are always less than i if any is 
present, Vm'i (loop^ ) m2(loop^ ) : (Si, mi(loop^, (7i)) A 
(S",mi(loop^ )),loop^ (m) < j, (S2, m2(loop^, (72)) A 
{S2, m2(loop^ )), loop^ (772) < i. Si and S2 terminate in the 
same way, produce the same output sequence, and have equiv¬ 
alent computation of used/defined variables in both Si and 
S2 and the input sequence variable, the I/O sequence variable, 
(Si, mi) =H (S2, m2) and (Si, mi) =0 (S2, m2) and \/x G 
(Def(Si) nDef(S2)) U {/dr, id/o} : (Si, mi) =3, (S2,m2); 

2. The loop counter of Si and S2 are of value less than or equal to 

i, and there are no reachable configurations (Si, mi(loop^*, ai^)) 
from (Si, mi ((71)), (S2, m2 (loop^’, 0-2^)) from (S2, m2 ((72)) 
where all of the following hold: 

• The loop counters of Si and S2 are of value i, loop),* (ni) 

= loop)* (712) = 7. 

• Value stores and a2- agree on values of used variables in 
both Si and S2 as well as the input sequence variable, and 
the I/O sequence variable, Vx G (Use(Si) n Use(S2)) U 
{7dr,7dro} : a-i^(x) = a 2 i(x). 

3. There are reachable configurations (Si, mi (loop)*, (7i^)) from 
(Si, mi((7i)), (S2, m2(loop)*, (72;)) from (S2, m2((72)) where 
all of the following hold: 

• The loop counter of Si and S2 are of value i, loop)* (771) 

= loop)* (772) = 7. 

• Value stores ai. and a2- agree on values of used variables in 
both Si and S2 as well as the input sequence variable, and 
the I/O sequence variable, Vx G (Use(Si) O Use(S2)) U 
{7d/,7d/o} : o-i^(x) = a 2 i(x). 

Then we show that, when 7 -|- 1, one of the following holds: The 
induction hypothesis (IH) is that, when 7 > 1, one of the following 
holds: 

1. Loop counters for Si and S2 are always less than 7 -|- 1 if any 
is present, Vm'i (loop) ) m2 (loop) ) : (Si, mi(loop), ai)) A 
(Si ,m'i(loop) )),loop) (m) < 7-1-1, (S2,m2(loop),a2)) A 
(S2,m2(loop) )),loop) (772) < 7 -I- 1, Si and S2 terminate 
in the same way, produce the same output sequence, and have 
equivalent computation of used/defined variables in both Si and 
S2 and the input sequence variable, the I/O sequence variable, 
(Si,mi) =H (S2,m2) and (Si,mi) =0 (S2,m2) andVi G 
(Def(Si)nDef(S2 ))U{ 7d/,7d/o} : (Si,mi)=^ (S2,m2); 

2. The loop counter of Si and S2 are of value less than or 
equal to 7 -|- 1, and there are no reachable configurations 
(Si,mi(loop)*+i,CTi;^J) from (Si,mi(CTi)), 

(S2, m2(loop)*+*, ( 72 ;^i)) from (S2, m2 ((72)) where all of the 
following hold: 

• The loop counters of Si and S2 are of value 7 -|- 1, 
loop)*+* (m) = loop)*+* (772) = 7-1-1. 

• Value stores (7i;^j and (72;,,.^ agree on values of used vari¬ 
ables in both Si and S2 as well as the input sequence vari¬ 
able, and the I/O sequence variable, Vx G (Use(Si) IT 
Use(S2)) U {7d/,7d/o} : crii+i (*) ='^2;+! (a:). 
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3 . There are reachable configurations (^i, mi(loopJ‘+i, cti. )) 
from (Si,mi(ai)), (S2, m2(loop^“+i, (T2J) from (S2, 7712(0-2)) 
where all of the following hold: 

• The loop counter of Si and S2 are of value i, loopJ‘+i (ni) 

= loop^*+i(n 2 ) = 1 + 1 . 

• Value stores and o-2j^i agree on values of used vari¬ 

ables in both Si and S2 as well as the input sequence vari¬ 
able, and the I/O sequence variable, Vx € (Use(Si) n 
Use(S2)) U {id/,ici/o} : crii+i(x) ^ o-2^_^^(x). 

By hypothesis IH, there is no configuration where loop counters 
of Si and S2 are of value i + 1 when any of the following holds: 

1 . Loop counters for Si and S2 are always less than i if any is 
present, Vm'i(loop), ) 1712 (loop^ ) : (Si, mi (loop), ai)) A 
(S", m'l(loop) )), loop) (m) < 1, (S2,m2(loop),(T2)) A 
(SAm2(loop) )),loop) (772) < 1 , Si and S2 terminate in the 
same way, produce the same output sequence, and have equiv¬ 
alent computation of used/defined variables in both Si and 
S2 and the input sequence variable, the I/O sequence variable, 
(Si, mi) =H (S2, m2) and (Si, mi) =0 (S2, m2) and Vx G 

(Def(Si) nDef(S2)) U{ 7 d/, 7 d/o} : (Si,mi)=a: {82,1712)’, 

2 . The loop counter of Si and S2 are of value less than or equal to 

i, and there are no reachable configurations (Si, mi (loop^*, cri^)) 
from(Si,mi(CTi)), (S2, m2(loop)L a2j)) from (S2, m2(0-2)) 
where all of the following hold: 

• The loop counters of Si and S2 are of value i, loop)*(ni) 

= loop)* (712) = i. 

• Value stores aij and ( 72 j agree on values of used variables in 
both Si and S2 as well as the input sequence variable, and 
the I/O sequence variable, Vx G (Use(Si) n Use(S2)) U 
{idi,idio} ■ ( 7 -i;(x) = CT2i(x). 

When there are reachable configurations (Si, mi (loop)*, ai^)) 
from (Si,mi(o-i)), (S2,m2(loop)*,a2J) from (S2, m2(a2)) 
where all of the following hold: 

• The loop counter of Si and S2 are of value i, loop)*(ni) 

= loop)* (772) = i. 

• Value stores and a2^ agree on values of used variables in 
both Si and S2 as well as the input sequence variable, and 
the I/O sequence variable, Vx G (Use(Si) n Use(S2)) U 
{idi,idio} : (Ji-(x) = a2i(x). 

By similar argument in base case, we have one of the following 
holds: 

1 . Loop counters for Si and S2 are always less than i + 1 if any 
is present, Vm'i (loop) ) m2 (loop) ) : (Si,mi(loop),o-i))—>' 
(Si ,mi(loop) )),loop) (771) < 7 + 1 , (S2,m2(loop),a2)) A 
(SA 7772 (loop) )),loop) (772) < 7 , Si and S2 terminate in 
the same way, produce the same output sequence, and have 
equivalent computation of used/defined variables in both Si and 
S2 and the input sequence variable, the I/O sequence variable, 
(Si, mi) =H (82,1112) and (Si, mi) =0 (82, m2) and Vx G 
(Def(Si)nDef(S 2 ))U{ 7 d/, 7 d/o} : (8i,mi)=a: (82,1112); 

2 . The loop counter of Si and 82 are of value less than or 
equal to i + 1 , and there are no reachable configurations 
(Si, mi (loop)*, ai J) from (Si, mi (cri)), (S2, m2(loop)*, (12 ^)) 
from (82, 1112(0-2)) where all of the following hold: 

• The loop counters of Si and 82 are of value i, loop )*+7 (ni) 

= loop)*+*( 772 ) = 7 + 1 . 


• Value stores crij^i and (J2j_,.i agree on values of used vari¬ 
ables in both Si and 82 as well as the input sequence vari¬ 
able, and the I/O sequence variable, Vx G (Use(Si) 0 
Use(S 2 )) U {id/./Ao} : o-i.^^ (x) = o- 2 i_^i (x). 

3. There are reachable configurations (Si, mi(loop)*+*, (7ij_,_j)) 
from (Si,mi(o-i)), (S 2 , m 2 (loop)*+i, cr 2 i_^ J) from (S 2 , 
1112(02)) where all of the following hold: 

• The loop counter of Si and 82 are of value 7 , loop)*+* (iii) 
= loop)*+7(772) = 7. 

• The loop counter of Si and 82 are of value 7 , loop)*+7 (iii) 
= loop)*+l(772) = 7. 

• Value stores and agree on values of used vari¬ 

ables in both Si and 82 as well as the input sequence vari¬ 
able and the I/O sequence variable, Vx G (Use(Si) n 
Use(S 2 )) U {7A+i,7Ao} : cri._^j (x) = CT2i+i (x). 

□ 

6.3 Proof rule for variable type weakening 

In programs, variable types are changed either to allow for larger 
ranges (weakening). For example, an integer variable might be 
changed to become a long variable to avoid integer overflow. 
Adding a new enumeration value can is also type weakening. In¬ 
creasing array size is another example of weakening. Allowing for 
type weakening is essentially an assumption about the intent be¬ 
hind the update. The kinds of weakening that should be allowed 
are application dependent and would need to be defined by the user 
in general. The type weakening considered are either changes of 
type Int to Long or increase of array size. These updates fix in¬ 
teger overflow or array index out of bound. In order to prove the 
update of variable type weakening to be backward compatible, we 
assume that there are no integer overflow and array index out of 
bound in execution of the old program and the updated program. 
In conclusion, the old program and the new program produce the 
same output sequence because the integer overflow and index out 
of bound errors fixed by the new program do not occur. 

We formalize the update of variable type weakening, then we 
show that the updated program produce the same output sequence 
as the old program in executions if there are no integer overflow 
or index out of bound exceptions related to variables with type 
changes. First, we define a relation between variable definitions 
showing the type weakening. 

Definition 28. (Cases of type weakening) VTe say there is type 
weakening from a sequence of variable definitions Vi to V2, written 
Vi At ^ 2 , iff one of the following holds: 

1 . V\ = “Intid" ,V2 = “Long id”; 

2 . Vi = “r 7d[772]”, V 2 = “t id[n\]” where 112 > ni; 

3 . Vi = V{, “n idi”,V2 = 1 / 2 , ‘A id2” where (V{ At f^') A 
(“nidi” At “T2id2”); 

4 . Vi = vl, “n 7di[ni]”, V 2 = Vi, “T2id2[n2\” where (Vi At 
Vi) A (“n 7di[77i]” At a 7d2[772]”); 

The following is the generalized definition of variable type 
weakening. 

Definition 29. (Variable type weakening) We say that there 
are updates of variable type weakening in the program P2 = 
Pmpt; EN; V2; 8entry compared with the program Pi = Pmpt; 
EN’, Vl’,8entry, Written P2^fPl, iffVl At Vi. 

We show that two programs terminate in the same way, produce 
the same output sequence, and have equivalent computation of 
defined variables in both programs in valid executions if there are 
updates of variable type weakening between them. 
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Lemma 6 . 7 . Let Pi = EN ; V \; Sentry and P2 = EN; V2 ; Sentry 
be two programs where there are updates of variable type weaken¬ 
ing, P2~fPi- If the programs Pi and P2 start in states mi{ai) 
and 1712(02) such that both of the following hold: 

• Value stores oi and <72 agree on values of variables used in 
Sentry as Well as the input sequence variable, the I/O sequence 
variable, \/x G Use(Sentry) U {idi,idio} ’■ oi(x) = 02(x); 

• There is no integer overflow or index out of bound exceptions 
related to variables of type change; 


1 : 


1 ’: 

If(l/(a 

2 : 


2 ’: 

skip 

3 : 

output a 

3 ’: 

output a 


old 


new 


Figure 17: Exit-on-error 


6.4 Proof rule for exit on errors 


then Sentry in the program Pi and P2 terminate in the same 
way, produce the same output sequence, and when Sentry both 
terminate, they have equivalent computation of defined variables 
in Sentry Iti both programs as well as the input sequence variable, 
the I/O sequence variable, 

* (Sentry,trtl) =H (Sentry , 1712) i 

* (Sentry , Trtl) (Sentry , 1712),' 

* Vx £ Def(S) U {idi, idio} '■ 

(Sentry , TTll) =x (Sentry , 7172),' 

Because Sentry are the exactly same in both programs Pi and 
P2, we omit the straightforward proof. Instead, we show that, 
if there is no array index out of bound and integer overflow in 
executions of the old program, then there is no array index out of 
bound or integer overflow in executions of updated program due to 
the increase of array index and change of type Int to Long. 

Proof. The proof is straightforward because the statement sequence 
S is same in programs Pi and P2. The only point is that if there is 
array index out of bound or integer overflow in execution of S in 
Pi , then there is no array index out of bound or integer overflow in 
execution of S' in P2. To show the point, we present the argument 
for the array index out of bound and integer overflow separately. 

1 . We show that, as to one expression idi\id2\, there is no array 
index out of bound in P2 if there is no array index out of bound 
in Pi when Pi and P2 are in states agreeing on values of used 
variables in Pi and P2 ; 

(idi[id2],mi(ai)) 

-^(idi [v],mi(ai)) by the rule Var 

Similarly, (idi[id2], m2((J2)) —>■ (idi[t;], m2((T2)). By Defini¬ 
tion!^ the array bound of idi in P2 is no less than that in Pi, 
then there is no array out of bound exception in evaluation of 
idi\id2\ in P2 if there is no array out of bound exception in 
evaluation of idi [id2] in Pi. 

2 . We show that, as to one expression e, there is no integer over¬ 
flow in evaluation of e in P2 if there is no integer overflow in 
evaluation of e in Pi; 

(e, mi(cri)) 

-^((ve, Vof), 7 ni(ai)) by the rule EEvaT 

When every used variable in the expression e is of same type 
in Pi and P2, then the evaluation of the expression e in P2 is 
of the same result (ve,Vc,f) in Pi. When every used variable in 
the expression e is of type Int in Pi and of type Long P2, then 
there is no integer overflow in the evaluation of the expression 
e in P2 if there is no integer overflow in the evaluation of the 
expression e in Pi. This is because the values of type Long are 
a superset of those of type Int. 


□ 


Another bugfix is called “exit-on-error”, which causes the pro¬ 
gram to exit in observation of application-semantic-dependent er¬ 
rors. Eigure [ 17 ] shows an example of exit-on-error update. In the 
example, the fixed bugs refer to the program semantic error that 
a = 5. Instead of using an “exit” statement, we rely on the crash 
from expression evaluations to formalize the update class. In order 
to prove the update of exit-on-error to be backward compatible, we 
assume that there are no application related error in executions of 
the old program. Therefore, the two programs produce the same 
output sequence because the extra check does not cause the new 
program’s execution to crash. 

The following is the generalized definition of the update class 
“exit-on-error”. 


Definition 30 . (Exit on error) We say a statement sequence S2 in¬ 
cludes updates of exit-on-errfrom a statement sequence Si, written 
S2 ~Exii Si, iff one of the following holds: 


1 . 

2 . 


3 . 

4 . 

5 . 


S2 = ‘Tf(e) then{skip} else{skip}” ■, Si; 

Si = “If(e) then{Sl} else{s(y’, S2 = “If(e) thenlS^} elselS^}” 
where both of the following hold 


^2 

S\ = (e) {tSd”, S2 = (^) {*^2}” 

qt r^S qi. 

Si S2; 

Si = S[] Si and S2 = 82', 52 such that both of the following hold: 

• s[; 

• ^2 'S'l' 

• Vx S Imp(si,idjo) U Imp(si,idjo) '. S2 Sj; 

• ■52 ~ixii 51 .- 


Though the bugfix in Definition |30] is not in rare execution in 
the first case, the definition shows the basic form of bugfix clearly. 

We show that two programs terminate in the same way, produce 
the same output sequence, and have equivalent computation of 
defined variables in both programs in valid executions if there are 
updates of exit-on-error between them. 


Lemma 6 . 8 . Let Si and S2 be two statement sequences respec¬ 
tively where there are updates of exit-on-error in S2 against Si, 
S2 ~Exit Si. If Si and S2 start in states mi(cri) and m2(o'2) such 
that both of the following hold: 

• Value stores oi and 02 agree on values of variables used in both 
Si and S2 as well as the input sequence variable and the I/O 
sequence variable, \/x G (Use(Si)r]Use(S2))U{idi,idio} '. 
ai(x) = a2(x); 

• There are no program semantic errors related to the extra check 
in the update of exit-on-error in the execution of Si; 


then Si and S2 terminate in the same way, produce the same output 
sequence, and when Si and S2 both terminate, they have equivalent 
computation of defined variables in both Si and S2 as well as the 
input sequence variable and the I/O sequence variable, 

• (Si, mi) =H (52, m 2 ); 

• ( 51 , mi) =0 (S2, m2); 
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• Va: £ {Def{Si) n Def{S2)) U {idi, idio} ’■ 

{Si,mi) =a: ( 5 ' 2 ,m 2 ); 

Proof. By induction on the sum of the program size of Si and S2, 
size(Si) + size(S2). 

Base case. Si = s and S2 = “If(e) then{skip} else{skip}”; s; 

By assumption, there is no program semantic error related to 
the update of exit-on-error. Then the evaluation of the predicate 
expression e in the first statement of S2 does not crash. W.l.o.g., the 
expression e evaluates to zero. Then the execution of S2 proceeds 
as follows. 

(If(e) then{skip} else{skip}; s, m2((T2)) 

—>'(lf(( 0 , Vof)) then{skip} else{skip}; s, m2{(J2)) 
by the rule EEvaT 

—^(If( 0 ) then{skip} else{skip}; s, m2(cr2)) 
by the rule E-Oflowl or E-Oflow 2 . 

—>'(skip; s, 1722(0-2)) by the rule If-E 
—l(s, 7722(0-2)) by the rule Seq. 

Value stores 0-2 are not changed in the execution of (S2,7772(0-2)) A 
(3,7772(0-2)). By assumption, 0-1 and 0-2 agree on values of used 
variables as well as the input sequence variable, and the I/O se¬ 
quence variable, V* £ Use( 52 ) n Use( 5 i) U {idi,idjo} : 
oi{id) = 0-2(77/). By semantics, ^i and S2 terminate in the same 
way, produce the same output sequence, and have equivalent com¬ 
putation of defined variables in both 5 i and S2 as well as the input 
sequence variable, and the I/O sequence variable. Then this lemma 
holds. 

Induction step. 

The hypothesis is that this lemma holds when the sum k of the 
program size of 5 i and S2 are great than or equal to 4 , fc > 4 . 

We then show that this lemma holds when the sum of the 
program size of and 52 is fc -f 1 . There are cases to consider. 

1 . Si and S2 are both “If’ statement: 

Si = “If(e)then{ 5 )}else{ 5 /}”,S 2 = “If(e)then{ 5 ^}else{ 5 |}” 
where both of the following hold 

• (52~Exit>S'l); 

• {Si^LiiS(); 

By the definition of Use(Si), variables used in the predicate ex¬ 
pression e are a subset of used variables in Si and S2, Use(e) C 
Use(Si) n Use(S2). By assumption, corresponding variables 
used in e are of same value in value stores ai and CT2. By 
Lemma IdU the expression evaluates to the same value w.r.t 
value stores ai and 0-2. There are three possibilities. 

(a) The evaluation of e crashes, S'|e|cri = S'|e|cr2 = 
(error,-Uof). 

The execution of Si continues as follows: 

(If(e) then{S)}else{S/}, 7771 (cri)) 

—>'(If((error, Vo^)) then{S)} elsejS/}, 7771(0-1)) 
by the rule EEvaT 

—^(If( 0 ) then{S)} else{S/}, 777 i(l/f)) 
by the ECrash rule 

A(lf( 0 ) then{S(} else{S/}, 777 i(l/f)) for any i > 0 
by the Crash rule. 

Similarly, the execution of S2 started from the state m2 (0-2) 
crashes. The lemma holds. 

(b) The evaluation of e reduces to zero, S'|[e|o-i = S'|e]|o-2 = 
( 0 ,Uof). 

The execution of Si continues as follows. 

(If(e) then{S)} elsejSf }, 7771(0-1)) 

= (lf(( 0 , 77 of)) then{S)} elsejS/}, 7771(0-1)) 
by the rule EEvaT 


—>-(^( 0 ) then{S)} else{S/}, 7771(0-1)) 
by the E-Oflowl or E-Oflow 2 rule 
— 7 (S/, 7771(0-1)) by the If-F rule. 

Similarly, the execution of S2 gets to the configuration 
(S|, 7772(772)). 

By the hypothesis IH, we show the lemma holds. We need 
to show that all conditions are satisfied for the application 
of the hypothesis IH. 

. {sf^L,s() 

By assumption. 

• The sum of the program size of S( and S( is less than 
fc, size iS() + size(S|) < fc. 

By definition, size(Si) = l-Tsize(Si)-Tsize(S/). Then, 
size(S/) -T size(S|) <fc + l — 2 = fc — 1 . 

• Value stores tji and 772 agree on values of used variables 
in S( and S| as well as the input, I/O sequence variable. 
By definition, Use(S/) C Use(Si). So are the cases to 
S| and S2. In addition, value stores 771 and CT2 are not 
changed in the evaluation of the predicate expression e. 
The condition holds. 

• There are no program semantic error related to the extra 
check in the update of exit-on-error in the execution of 
S2. 

By assumption. 

By the hypothesis IH, the lemma holds. 

(c) The evaluation of e reduces to the same nonzero integer 
value, S'JejCTi = S'|[e]CT2 = (u, Uof) where u 7/ 0. 

By similar to the second subcase above. 

2 . Si and S2 are both “while” statements: 

Si = “while(„)(e) {S(}”, S2 = “while(„) (e) {S2}” where 

{S'2~LS'iy, 

By Lemma 16.101 we show this lemma holds. We need to show 
that all required conditions are satisfied for the application of 
Lemma l 6. 101 

• The output deciding variables in S) are a subset of those in 
S'2, OVar(S 0 = OVar(S^); 

By Lemma| 6 ) 9 ] 

• When started in states 7771(771), 7772(77)) where value stores 
a'l and 77) agree on values of used variables in both S) 
and S'2, as well as the input sequence variable, and the I/O 
sequence variable, then S) and S) terminate in the same 
way, produce the same output sequence, and have equiva¬ 
lent computation of defined variables in both Si and S2 as 
well as the input sequence variable, and the I/O sequence 
variable. 

By the induction hypothesis IH. This is because the sum of 
the program size of S) and S) is less than fc. By definition, 
size(Si) = 1 -T size(S)). 

By Lemma lb. 101 this lemma holds. 

3 . Si = S); Si and S2 = 5 ); S2 where both of the following hold: 

• {S'2 « lxi . ^)); 

• (s2 ~|xi, Si); 

By the hypothesis IH, we show S) and S) terminate in the 
same way and produce the same output sequence and when S) 
and S) both terminate, S) and S) have equivalent terminating 
computation of variables used or defined in S) and S) as well 
as the input sequence variable, and the I/O sequence variable. 
We show all the required conditions are satisfied for the appli¬ 
cation of the hypothesis IH. 

• (5^«lxi,5)). 

By assumption. 
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• The sum of the program size of S[ and S2 is less than k, 
size( 5 () + size( 5 ' 2 ) < k. 

By definition, size( 5 ' 2 ) = size(s2) + size(S2) where 
size(s2) < 1 . Then, size(S'2) + size(Si) < A: + 1 — 
size(s2) — size(si) < k. 

• Value stores cti and <72 agree on values of used variables in 
both S2 and S[ as well as the input, I/O sequence variable. 

By definition, Use(S2) C Use(S'2), Use(, 5 () C Use( 5 'i). 

The condition holds. 

By the hypothesis IH, one of the following holds: 

(a) Si and S2 both do not terminate. 

By Lemma IE. 2 I executions of Si = Sj; si and S2 = 

S2; S2 both do not terminate and produce the same output 
sequence. 

(b) Si and S2 both terminate. 

By assumption, (S2,m2((T2)) —>■ (skip, m2(cr^)), (S(,mi(cri)) 
(skip,m'i(cr()). 

By Corollary [Em (S2; S2, m2(cr2)) 4 - (s2, m2(cr2)), 

(Si; si,mi(cri)) A (si,mi(cri)). 

By the hypothesis IH, we show that S2 and si terminate 
in the same way, produce the same output sequence and 
when S2 and si both terminate, S2 and si have equivalent 
computation of variables defined in both si and S2 and the 
input, and I/O sequence variables. 

We need to show that all conditions are satisfied for the 
application of the hypothesis IH. 

• There are updates of “exit-on-error” between S2 and si, 

' 52 ~ExifSi; 

By assumption, S 2 ~fxitSi' 

• The sum of the program size S2 and si is less than or 
equals to k\ 

By definition, size(S2) > 1 , size(Si) > 1 . Therefore, 
size(s2) + size(si) < fc-f 1 — size(S2) — size(Si) < k. 

• Value stores a'l and cr^ agree on values of output de¬ 
ciding variables in S2 and si as well as the input, I/O 
sequence variable. 

By Lemma |6(^ OVar(si) C OVar(s2), then OVar(s2) 
nOVar(si) = OVar(si). For any variable id inUse(si), 
if id is not in OVar( 5 i), then the value of id is not 
changed in the execution of S[ and S2, fj[{id) = 
o\{id) = a2{id) — a2{id). Otherwise, the variable id 
is defined in the execution of S[ and S2, by assumption, 
a[{id) = a2(id). The condition holds. 

• There are no program semantic errors related to the extra 
check in the update of exit-on-error in the execution of 
52 . 

By assumption. 

By the hypothesis IH, the lemma holds. 

□ 

We list the auxiliary lemmas below. One lemma shows that, 
if there are updates of exit-on-error between two statement se¬ 
quences, then there are same set of defined variables in the two 
statement sequences, and the used variables in the update program 
are the superset of those in the old program. 

Lemma 6 . 9 . Let S2 be a statement sequence and 5 i where there 
are updates of exit-on-error, S2~ExitSi- Then output deciding vari¬ 
ables in Si are a subset of those in S2, OVar{Si) C OVar{S2)- 

Proof. By induction on the sum of the program size of 5 i and 
52 . □ 


Lemma 6 . 10 . LetSi = while{S'l} andS2 = while^n2){^) 
{52} be two loop statements where all of the following hold: 

the output deciding variables in 5 i are a subset of those in S2, 
OVar{Si) C OVar{S2) = OVar{S); 

When started in states m'i{ai), m2{o'2) where 

■ Value stores agree on values of output deciding variables 
in both 5 i and S2 as well as the input sequence vari¬ 
able, and the I/O sequence variable, Vx G OVar(S2) U 
{id/, id/o}Vm'i(cr() 7722(0-2) : a'i{x) = a2{x); 

■ There are no program semantic errors related to the extra 
check in the update of exit-on-error in executions of Si and 

5 ^,- 

then 5 i and S2 terminate in the same way, produce the same 
output sequence, and have equivalent computation of defined 
variables in 5 / and S2 as well as the input sequence variable, 
and the I/O sequence variable {{Si,mi) =h (52,7712)) A 
(( 5 (, rr/i) =0 ( 52 ,7712)) A {fix G OVar{S) U {idifidio} '■ 
{S'i,mi) =j, (52,7722)); 

If Si and S2 start in states mi{loop].,ai),m2{loop^,a2) re¬ 
spectively, with loop counters of Si and S2 not initialized ( 5 i, 52 
have not executed yet), value stores agree on values of used vari¬ 
ables in Si and S2, and there are no program semantic errors re¬ 
lated to the extra check in the update of exit-on-error, then, for any 
positive integer i, one of the following holds: 

1. Loop counters for Si and S2 are always less than i if any is 
present, y-m'ifioopl ) m2{loop^ ) : (Si, mi(loopfi ai)) A 
( 5 i,r 72 'i(/oop^ )),/oopJ (721) < i,(S2,m2{loopl,02)) A 
(S2,m2(loop^ )),loop^ (722) < i, Si and S2 terminate in 
the same way, produce the same output sequence, and have 
equivalent computation of output deciding variables in Si and 
S2 and the input sequence variable, the I/O sequence vari¬ 
able, ( 5 i, 772 i) =h (52,7722) and (Si,mi) =0 (52,7722) and 
Vx G (OVar(Si) U OVar(S2)) U {idi,idio} '■ 

(Si,mi) =a; (52,7722); 

2 . The loop counter of Si and S2 are of value less than or equal 
to i, and there are no reachable configurations (Si, mi (loop)/, 
oifi) from ( 5 i, 7721(01)), (S2,m2(loopl',a2j) from (S2, 
7722(02)) where all of the following hold: 

• The loop counters of Si and S2 are of value i, loop)' (m) 
= loop)'(n 2 ) = i. 

• Value stores 01^ and 02, agree on values of output deciding 
variables in Si and S2 as well as the input sequence vari¬ 
able, and the I/O sequence variable, Vx G (OVfa 7 '( 5 i) U 
0Var(S2))0 {idi,idio} '■ aifix) = a2fix). 

3 . There are reachable configurations (Si,mi(loop)', aif)) from 
( 5 i, 7721 (01)), ( 52,7722 (loop )', 02 J) from (S2, 7722 (02)) where 
all of the following hold: 

• The loop counter of Si and S2 are of value i, loop)' (m) 
= loop)'(1X2) = 2. 

• Value stores ai- and 02^ agree on values of output deciding 
variables in Si and S2 including the input sequence vari¬ 
able and the I/O sequence variable, Vx G (OVh 7 -( 5 i) U 
0Var(S2))0 {idi,idio} '■ 01^ (x) = 02^ (x). 

Proof. By induction on i. 

Base case. 

We show that, when 7 = 1, one of the following holds: 

1 . Loop counters for Si and S2 are always less than 1 if any is 
present, Vtti'i( loop), ) 7722 (loop^ ) ■ ( 5 i, 7221 (loop), 01)) A 
( 5 i, 772 'i (loop) )), loop) (721) < 7 , ( 52 , 7722 (loop), 02)) A 
( 52 , 7722 (loop) )),loop) (722) < 7 , 5 i and S2 terminate in the 
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same way, produce the same output sequence, and have equiv¬ 
alent computation of output deciding variables in and S2 
including the input sequence variable, the I/O sequence vari¬ 
able, (5'i,mi) =H (52, m 2 ) and(5i,mi) =0 (52, m 2 ) and 
Vx € (OVar(5i) U OVar(52)) U {id/, id/o} : (5 i,mi)=2 ; 

(52, m 2 ); 

2. Loop counters of 5i and S2 are of values less than or equal to 1 
but there are no reachable configurations (5i, mi (loop),^, (ti .)) 
from (5i, mi((Ji)), (52, m 2 (loop^i, cr 2 j) from (52, m 2 (cr 2 )) 
where all of the following hold: 

• The loop counter of 5i and S2 are of value 1, loop),^ (ni) 
= loop^^(n2) = 1- 

• Value stores ai^ and (T 2 i agree on values of output deciding 
variables in 5i and S2 including the input sequence vari¬ 
able and the I/O sequence variable, Vx € (OVar(5i) U 
OVar(52)) U (id/, id/o} : ai^{x) = a 2 i{x). 

3. There are reachable configuration (5i,mi(loop),i,( ti.)) from 
(5i, mi(o-i)), (52, m 2 (loop^i, o' 2 i)) from {S2, m 2 ( 0 - 2 )) where 
all of the following hold: 

• The loop counter of 5i and S2 are of value 1, loop),i(ni) 
= loop^^(n2) = 1. 

• Value stores and (T 2 i agree on values of output deciding 
variables in 5i and S2 including the input sequence vari¬ 
able and the I/O sequence variable, Vx G (OVar(5i) U 
OVar(52)) U (id/, id/o} : c/ij (x) = (T 2 i (x). 

By definition, variables used in the predicate expression e of 5i 
and S2 are in output deciding variables in 5i and S2, Use(e) C 
OVar(5i) U OVar(52). By assumption, value stores ai and 02 
agree on values of variables in Use(e), the predicate expression 
e evaluates to the same value w.r.t value stores cri and CT 2 by 
Lemma lP)^ There are three possibilities. 

1. The evaluation of e crashes, 

5'|e|cri = 5'|e|cr2 = (error, ii„f). 

The execution of 5i continues as follows: 

(while(„^) (e) {5}}, mi(ai)) 

-s-(while<„^) ((error, Vof)) {5}}, mi((Ti)) 
by the rule EEvaT 
-s-(while(„j) ( 0 ) {5(}, mi(l/f)) 
by the ECrash rule 


3. The evaluation of e reduces to the same nonzero integer value, 
=5'|el(J2 = (0,x„f). 

Then the execution of 5i proceeds as follows: 

(while(„^)(e) {5}},mi(CTi)) 

= (while(„^)((ti,-u„f)) {5}},mi(cri)) 
by the rule EEvaT 
-s-(while(„^) (x) {5}}, mi(CTi)) 
by the E-Oflowl or E-Ofiow2 rule 
->'(5(; while(„j)(e) {5(},mi( 

loop} U {(ni) I—>■ 1}, (Ji)) by the Wh-T rule. 

Similarly, the execution of S 2 proceeds to the configuration 
( 52 ; while(„ 2 ) (e) { 52 }, m 2 (loop} U {( 712 ) 1}, 0 - 2 )). 

By the assumption, we show that 5} and S 2 terminate in the 
same way and produce the same output sequence when started 
in the state mi(loop}'^, cri) and m 2 (loop}i, CT 2 ) respectively, 
and 5} and S 2 have equivalent computation of variables defined 
in both statement sequences if both terminate. We need to 
show that all conditions are satisfied for the application of the 
assumption. 

• There are no program semantic errors related to the extra 
check in the update of exit-on-error in executions of S 2 and 
5}. 

The above two conditions are by assumption. 

• Value stores cti and (J 2 agree on values of output deciding 
variables in 5} and S 2 including the input, I/O sequence 
variable. 

By definition, OVar(5}) C OVar(5i). So are the cases 
to S 2 and 52. In addition, value stores cri and a 2 are not 
changed in the evaluation of the predicate expression e. The 
condition holds. 

By assumption, 5) and S 2 terminate in the same way and 
produce the same output sequence when started in states 
mi(loop(,, (Ji) and m 2 (loop(,, CT 2 ). In addition, 5} and S 2 have 
equivalent computation of output deciding variables in 5} and 
S 2 when started in states mi(loop(,, cri) and m 2 (loop(., a 2 ). 
Then there are two cases. 

(a) 5i and S 2 both do not terminate and produce the same 
output sequence. 

By Lemma IE.21 5}; 5i and S 2 ; S 2 both do not terminate 
and produce the same output sequence. 


A(while(„j)(0) {5(},mi(l/f)) for any i > 0 
by the Crash rule. 

Similarly, the execution of S 2 started from the state m 2 (( 72 ) 
crashes. Therefore 5i and S 2 terminate in the same way when 
started from mi and m 2 respectively. Because ai{idio) = 
O 2 {idio), the lemma holds. 

2. The evaluation of e reduces to zero, 5'|[e]cri = f’'|e|cr 2 = 

(0,Wf)- 

The execution of 5i continues as follows. 

(while<„j) (e) {5}}, mi(ai)) 

= (while(„^)((0,-!;„f)) {5}},mi(ai)) 
by the rule EEvaT 
-s-(while(„^)(0) {5(},mi(CTi)) 
by the E-Ofiowl or E-Oilow2 rule 
—>'(skip, mi (cri)) by the Wh-F rule. 


(b) 5i and S 2 both terminate and have equivalent computation 
of output deciding variables in 5} and 5^. 

By assumption, (5i, mi(loop(,, cri)) A (skip, mi(loop",CTi 
(52,m2(loop(,,a2)) A (skip, m 2 (loop",cr 2 )) where Vx G 
(0Var(5}) U OVar(52)) U {id/, id/o}, cr}(x) = cr 2 (x). 

By Lemma [bV] OVar(5i) C OVar(52). Then variables 
used in the predicate expression of 5i and S 2 are either in 
output deciding variables in both 5} and S 2 or not. There¬ 
fore value stores cr 2 and cr} agree on values of variables used 
in the expression e and even output deciding variables in 5i 
and 52. 

Induction step on iterations 

The induction hypothesis (IH) is that, when i > 1, one of the 
following holds: 

1. Loop counters for 5i and S 2 are always less than i if any is 


Similarly, the execution of S 2 gets to the configuration (skip, m 2 (cr 2 )). 
Loop counters of 5i and S 2 are less than 1 and value stores 
agree on values of output deciding variables in 5i and S 2 in¬ 
cluding the input sequence variable and the I/O sequence vari¬ 
able. 


present, Vm'i (loop} ) m 2 (loop} ) : (5i, mi (loop}, cri)) A 
(5i,m'i(loop} )), loop} (m) < i, (52, m 2 (loop}, 0 - 2 )) A 
(52^m2(loop} )),loop} ( 7 / 2 ) < i. Si and S 2 terminate in the 
same way, produce the same output sequence, and have equiva¬ 
lent computation of output deciding variables in both 5i and S 2 
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as well as the input sequence variable, the I/O sequence vari¬ 
able, (S'!, mi) =H (<S'2,m2) and (Si, mi) =o (S2,m2) and 
yx € (OVar(Si) U OVar(S2)) U {idi,idio} ■ (Si, mi) =2, 
(S2, m2); 

2 . The loop counter of Si and S2 are of value less than or equal to 

i, and there are no reachable configurations (Si, mi (loop);* ,0-1. )) 
from(Si,mi(CTi)), (S2, m2(loop)*, CT2i)) from (S2, m2(CT2)) 
where all of the followings hold: 

• The loop counters of Si and S2 are of value i, loop)*(ni) 

= loop)* (112) = i. 

• Value stores cti^ and a2i agree on values of output deciding 

variables in Si and S2 including the input sequence vari¬ 
able, and the I/O sequence variable, Va; £ (OVar(Si) U 
OVar(S2)) U {id/,id/o} : ~ '^^iix). 

3 . There are reachable configurations (Si, mi (loop)*, crij)) from 
(Si,mi(CTi)), (S2,m2(loop)*,CT2j) from (S2, m2((J2)) where 
all of the following hold: 

• The loop counter of Si and S2 are of value i, loop)*(ni) 

= loop)*(n2) = i. 

• Value stores cti^ and a2i agree on values of output deciding 
variables in Si and S2 including the input sequence vari¬ 
able, and the I/O sequence variable, \/x £ (OVar(Si) U 
OVar(S2)) U (id/,id/o} : ai.(x) = a2i{x)). 

Then we show that, when i + 1 , one of the following holds: 

1 . Loop counters for Si and S2 are always less than i -|- 1 if any 
is present, Vm'i (loop) )m2(loop) ) : (Si, mi (loop), ai)) —>■ 

(Si ,m'i(loop)^)),loop) (m) < i-fl, (S2,m2(loop),a2)) A 
(SA «^2(loop) )), loop) (7/2) < i -I- 1 , Si and S2 terminate in 
the same way, produce the same output sequence, and have 
equivalent computation of output deciding variables in Si 
and S2 including the input sequence variable and the I/O se¬ 
quence variable, (Si,mi) =h (S2,m2) and (Si,mi) =0 
(S2,m2) and Vx £ (OVar(Si) U OVar(S2)) U {id/, id/o} : 
(Si,mi) =2, (S 2 ,m 2 ); 

2 . The loop counter of Si and S2 are of value less than or 
equal to i -f 1 , and there are no reachable configurations 
(Si, mi(loop)*+i, (Tii+i)) from (Si, mi(cri)), (S2, m2(loop)*+i, 

from (S2, m2(cr2)) where all of the following hold: 

• The loop counters of Si and S2 are of value i -f 1 , 
loop)*+i (m) = loop)*+i (7/2) = i -I- 1 . 

• Value stores and agree on values of output de¬ 

ciding variables in Si and S2 including the input sequence 
variable, and the I/O sequence variable, Va; £ (OVar(Si) U 
OVar(S2)) U {id/,id/o} : cri.^j (x) = (72^+1 (a;). 

3 . There are reachable configurations (Si,mi(loop)*+i,ai.)) 
from (Si,mi(cri)), (S2, m2(loop)*+*, craj) from (S2, m2 (era)) 
where all of the following hold: 

• The loop counter of Si and S2 are of value i, loop)*+i (ni) 

= loop)*+i (7/2) = i -I- 1 . 

• Value stores ai.^j and (J2^_,^^ agree on values of output de¬ 
ciding variables in Si and S2 including the input sequence 
variable, and the I/O sequence variable, Vx £ (OVar(Si) U 
OVar(S2)) U {id/,id/o} : ni-^j (x) = (72^+1 (x). 

By hypothesis IH and theorem| 4 ]and| 5 ] there is no configuration 

where loop counters of Si and S2 are of value i + 1 when any of 

the following holds: 

1 . Loop counters for Si and S2 are always less than i if any is 
present, Vm'i (loop) ) m2 (loop) ) : (Si, mi (loop), ai)) A 
(Si ,m'i(loop) )),loop) (m) < 7 , (S 2 ,m 2 (loop),f 72 )) A 
(SA 7 ti 2 (loop) )),loop) (712) < i. Si and S2 terminate in the 


same way, produce the same output sequence, and have equiv¬ 
alent computation of output deciding variables in Si and S2 
including the input sequence variable and the I/O sequence vari¬ 
able, (Si,mi) =H (S2,m2) and (Si,mi) =0 (82,^12) and 
Vx £ (OVar(Si) U OVar(S2)) U {idi,idio} ■ (Si, mi) =2: 
(S 2 ,m 2 ); 

2 . The loop counter of Si and S2 are of value less than or equal to 
7 , and there are no reachable configurations (Si, mi (loop)*, cri^)) 
from (Si,mi(( 7 i)), (S2, m2(loop)*, (72J) from (S2, m 2 (( 72 )) 
where all of the following hold: 

• The loop counters of Si and S2 are of value 7, loop)*( 7 ii) 

= loop)* (772) = 7 . 

• Value stores ai. and a2i agree on values of output deciding 
variables in both Si and S2 as well as the input sequence 
variable, and the I/O sequence variable, Vx £ (OVar(Si) U 
OVar(S2)) U {id/, 7 d/o} : ai^(x) = a2i(x). 

When there are reachable configurations (Si, mi (loop)*, cti^)) 
from (Si,mi(( 7 i)), (S2, m2(loop)*, (72-)) from (S2, m 2 (( 72 )) 
where all of the following hold: 

• The loop counter of Si and S2 are of value 7, loop)*( 77 i) 

= loop)* (712) = 7 . 

• Value stores cri^ and ( 72 ^ agree on values of output deciding 
variables in Si and S2 including the input sequence variable 
and the I/O sequence variable, Vx £ (OVar(Si) UOVar(S2)) U 
{idi,idio} ■ ( 7 i.(x) = ( 72 i(a;)- 

By similar argument in base case, we have one of the following 
holds: 

1 . Loop counters for Si and S2 are always less than 7 -f 1 if any 
is present, Vm'i (loop) ) m^loop) ) : (Si, mi (loop), cti)) A 
(Si ,m'i(loop) )),loop) (ni) < 7 - 1 - 1 , (S2, m2(loop), CT2)) A 
(S2,m2(loop) )),loop) (712) < 7 , Si and S2 terminate in the 
same way, produce the same output sequence, and have equiv¬ 
alent computation of output deciding variables in Si and S2 
including the input sequence variable, the I/O sequence vari¬ 
able, (Si,mi) =H (S2,m2) and (Si,mi) =0 (S2,m2) and 
Vx £ (OVar(Si) U OVar(S2)) U {id/, 7 d/o} : (Si, mi) =2: 
(S 2 ,m 2 ); 

2 . The loop counter of Si and S2 are of value less than or 
equal to 7 -I- 1 , and there are no reachable configurations 
(Si, mi (loop)*, f 7 i J) from (Si, mi (ai)), (S2, m2 (loop)*, ( 72 ;)) 
from (S2, m 2 (( 72 )) where all of the following hold: 

• The loop counters of Si and S2 are of value 7, loop)*+^ (ni) 

= loop)*+i (712) = 7 - 1 - 1 . 

• Value stores and ( 72 j _,_2 agree on values of output de¬ 

ciding variables in Si and S2 including the input sequence 
variable and the I/O sequence variable, Vx £ (OVar(Si) U 
OVar(S2)) U { 7 d/, 7 d/o} : (x) = c72-_^^(x). 

3 . There are reachable configurations (Si, mi(loop)*+*, cri^^j)) 
from (Si,mi(( 7 i)), (S2, m2(loop)*+*, <72^+1)) from (S2, 
7772 ((72)) where all of the following hold: 

• The loop counter of Si and S2 are of value 7, loop )*+7 (m) 

= loop)*+ 7 (n 2 ) = 7 . 

• Value stores and ( 72 ^_,.^ agree on values of output de¬ 

ciding variables in Si and S2 including the input sequence 
variable, and the I/O sequence variable, Vx £ (OVar(Si) U 
OVar(S2)) U { 7 d/+i, 7 d/o} : crii+i(x) = cr2-_^i(x). 

□ 
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6.5 Proof rule for improved prompt message 

If the only difference between two programs are the constant mes¬ 
sages that the user receives, we consider that the two programs to be 
equivalent. We realize that in general it is possible to introduce new 
semantics even by changing constant strings. An old version might 
have incorrectly labeled output: “median value = 5” instead of “av¬ 
erage value = 5, for example. We rule out such possibilities because 
all non-constant values are guaranteed to be exactly same. In prac¬ 
tice, outputs could be classified into prompt outputs and actual out¬ 
puts. Prompt outputs are those asking clients for inputs, which are 
constants hardcoded in the output statement. Actual outputs are dy¬ 
namic messages produced by evaluation of non-constant expression 
in execution. The changes of prompt outputs are equivalent only for 
interactions with human clients. In order to prove the update of im¬ 
proved prompt messages to be backward compatible, we assume 
that the different prompt outputs produced in executions of the old 
program and the updated program, due to the different constants in 
output statements, are equivalent. Because the old program and the 
new program are exactly same except some output statements with 
different constants as expression e, we could show two programs 
produce the “equivalent” output sequence under the assumption of 
equivalent prompt outputs. 

We formalize the generalized update of improved prompt mes¬ 
sages, then we show that the updated program produce the same 
I/O sequence as the old program in executions without program se¬ 
mantic errors. The following is the definition of the update class of 
improved prompt messages. 

Definition 31. (Improved user messages) A program P2 = 
Pmpiji EN', V ; Sentry includes updates of improved prompt mes¬ 
sages compared with a program Pi = Pmptp, EN-, V', Sentry, 
written P2 ~Ou,Pi, / Pmpt^. 

We give the lemma that two programs terminate in the same 
way, produce the equivalent output sequence, and have equivalent 
computation of defined variables in both programs in valid execu¬ 
tions if there are updates of improved prompt messages between 
them. 

Lemma 6.11. Let Pi = Pmptp,EN\V\ Sentry and P2 = 
Pmp/ji EN\ V ; Sentry be two programs where there are updates 
of improved prompt messages in P2 compared with Pi. If Si and 
S2 start in states mi{ai) and m2{o2) suchthat both of the follow¬ 
ing hold: 

• Value stores ai and 02 agree on values of variables used in 
Sentry in both programs as well as the input sequence variable, 
V® £ Use{Sentry) U {idl} : (7l{x) = (72 (x),' 

• Value stores ai and 02 have “equivalent" I/O sequence, 
cri{idio) = o-2(idio); 

• The different prompt outputs in the update of improved prompt 
messages are equivalent; 

then Si and S 2 terminate in the same way, produce the equivalent 
output sequence, and when Si and S 2 both terminate, they have 
equivalent computation of defined variables in Sentry in both pro¬ 
grams as well as the input sequence variable. Sentry in the two 
programs produce the equivalent I/O sequence variable, 

• {Sentry , ttll') =H {Sentry ,'1712')i 

• Vx G {Def{Sl) n Def{S2)) O {idl} ■ {Sentry, 'mi) =x 
{Sentry, 'm 2 ); 

• The produced output sequences in executions of Sentry in both 
programs are “equivalent", <Ji{idio) = o'2{idio). 

The difference between prompt types in Pi and P2 can be ei¬ 
ther addition/removal of labels as well as the change of the map¬ 
ping of labels with constants. The proof is straightforward because 


programs Pi and P2 have the same entry statement sequence and 
we have the assumption that different prompt outputs due to the 
difference of the prompt type are equivalent. 

Proof. By induction on the sum of the program size of Si and S2, 
size(Si) -I- size(S2). 

Base case. Si = “output wi” and S2 = “output 1)2”; 

Then the execution of S2 proceeds as follows. 

(output V2, 7712(0-2)) 

- 7 (skip, 7712(0-2[“o-2(idjo) • 1/2”/idio])) 

by the rule Out -1 or Out -2 

Similarly, (outputwi,mi(0-1)) A {skip,mi{ai[“ai{idio)-'>h"/idio]))- 
By assumption, 0-2(17/70) = 0-1(17/70). In addition, by assump¬ 
tion, 1/2 = 171 - Therefore, Si and S2 terminate in the same way, 
produce the same output sequence and have equivalent computa¬ 
tion of defined variables in Si and S2. This lemma holds. 

Induction step. 

The hypothesis is that this lemma holds when the sum k of the 
program size of Si and S2 are great than or equal to 2 , fc > 2 . 

We then show that this lemma holds when the sum of the 
program size of Si and S2 is /c -|- 1 . There are cases to consider. 

1 . Si and S2 are both “If’ statement: 

Si = “If(e)then{Sj}else{S/}”,S 2 = “If(e) then{S|} else{S^}” 
where both of the following hold 

• qf . 

By the definition of Use(Si), variables used in the predicate ex¬ 
pression e are a subset of used variables in Si and S2, Use(e) C 
Use(Si) n Use(S2). By assumption, corresponding variables 
used in e are of same value in value stores tji and 7T2. By 
Lemma IdU the expression evaluates to the same value w.r.t 
value stores (tji and tj 2. There are three possibilities. 

(a) The evaluation of e crashes, S'|e]|TJi = f’'|e]|TJ2 = 

(error, Vof). 

The execution of Si continues as follows: 

(If(e) thenjSj} else{S/}, mi (tji)) 

—>-(If((error, Vo;)) thenjSj} elsejS/}, mi (tji)) 
by the rule EEvaf 

—7(If(0) then{S5} else{S/}, mi(l/f)) 
by the ECrash rule 

A(If(0)then{S5}else{S/},mi(l/f)) for any i > 0 
by the Crash rule. 

Similarly, the execution of S2 started from the state m2 (7J2) 
crashes. The lemma holds. 

(b) The evaluation of e reduces to zero, S'JelTJi = f’'|e]|TJ2 = 

(0,Uof)- 

The execution of Si continues as follows. 

(If(e) thenjSi} else{S/}, mi (tji)) 

= (lf(( 0 , Vof)) then{Sj} else{S/}, mi(TJi)) 
by the rule EEvaf 

— 7 (If( 0 ) then{S 5 } else{S/}, mi (tji)) 
by the E-Oflowl or E-Oflow 2 rule 
—>'(S/, mi(TJi)) by the If-F rule. 

Similarly, the execution of S2 gets to the configuration 
(S|,m 2 (TJ 2 )). 

By the hypothesis IH, we show the lemma holds. We need 
to show that all conditions are satisfied for the application 
of the hypothesis IH. 

, ofr^S 0 / 

O2 ~Out‘ 77 l 

By assumption. 
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• The sum of the program size of S( and S2 is less than 
k, size (sO + size(S2 ) < k. 

By definition, size( 5 'i) = l+size( 5 'i)+size( 5 '/). Then, 
size(S{) + size( 5 '|) <k + l — 2 — k — 1 . 

• Value stores ai and cr2 agree on values of used variables 
in S{ and 5 | as well as the input, I/O sequence variable. 
By definition, 'Use(S{) C Use( 5 'i). So are the cases to 
S2 and 52- In addition, value stores cri and a2 are not 
changed in the evaluation of the predicate expression e. 
The condition holds. 

• Different constants used in output statements are equiv¬ 
alent as output values. 

By assumption. 

By the hypothesis IH, the lemma holds. 

(c) The evaluation of e reduces to the same nonzero integer 
value, f'|e|cri = ^'|e|cr2 = (v, Vaf) where u 7/ 0. 

By argument similar to the second subcase above. 

2. Si and S2 are both “while” statements: 

Si = “while(„)(e) {S(}”, S2 = “while(^) (e) {S2}” where 
c' c'. 

By Lemma 16.131 we show this lemma holds. We need to show 
that all required conditions are satisfied for the application of 
Lemma l 6 . 13 l 

• Si and S2 have same set of defined variables, Def(Si) = 
Def(S^) = Def(S); 

• The used variables in Sj are a subset of those in S2, 
Use(S() =Use(S^); 

By Lemma l 6 . 12 l 

• When started in states mi(ai), m2(a'i) where value stores 
a'l and a2 agree on values of used variables in both S[ and 
S2 as well as the input sequence variable, , and the I/O 
sequence variable, then S[ and S2 terminate in the same 
way, produce the same output sequence, and have equiva¬ 
lent computation of defined variables in both Si and S2 as 
well as the input sequence variable and the I/O sequence 
variable. 

By the induction hypothesis IH. This is because the sum of 
the program size of S[ and S2 is less than k. By definition, 
size(Si) = 1 - 1 - size(S(). 

By Lemma l 6 . 13 l this lemma holds. 

3 . Si = Si; Si and S2 = S2; S2 where both of the following hold: 

• S'2 51 ; 

• S2 «Out Si; 

By the hypothesis IH, we show S2 and S[ terminate in the same 
way and produce the equivalent output sequence and when S2 
and Si both terminate, S2 and Sj have equivalent terminating 
computation of variables defined in S2 and S'l as well as the 
input sequence variable. By assumption, the different value of 
the I/O sequence in executions of Si and S2 are equivalent. 

We show all the required conditions are satisfied for the appli¬ 
cation of the hypothesis IH. 

• 52~out5i; 

• The I/O sequence variable in executions of Si and S2 are 
equivalent, ai{idio) = (^2{idio)\ 

By assumption. 

• The sum of the program size of S[ and S2 is less than k, 
size(Sl) + size(Sl) < k. 

By definition, size(S2) = size(s2) + sizelSl) where 
size(s2) < 1 . Then, sizelSl) -I- size(Si) < fc -I- 1 — 
size(s2) — size(si) < fc. 

• Value stores cti and (J2 agree on values of used variables in 
both S2 and S'l as well as the input sequence variable. 


By definition, Use(Sl) C Use(S2), Use(Sl) C Use(Si). 

The condition holds. 

By the hypothesis IH, one of the following holds: 

(a) Si and S2 both do not terminate. 

By Lemma rE. 2 l executions of Si = Si;si and S2 = 

S2; S2 both do not terminate and produce the same output 
sequence. 

(b) Si and S2 both terminate. 

By assumption, (S2,m2((T2)) A (skip, 7712(0-2)), ( 5 l, mi(cri)) 
(skip,m'i(CTl)). 

By Corollary |ET] (S2; S2,7712(0-2)) A (s2, m2(o-2)), 
(S(;si,mi(o-i)) A (si,m'i(o-()). 

By the hypothesis IH, we show that S2 and si terminate in 
the same way, produce the “equivalent” output sequence and 
when S2 and si both terminate, S2 and si have equivalent 
computation of variables defined in both si and S2 and the 
input sequence variable; S2 and si produce “equivalent” 
output sequence. 

We need to show that all conditions are satisfied for the 
application of the hypothesis IH. 

• There are updates of “improved prompt messages” in S2 
compared with si, S 2 «outSi; 

By assumption, S 2 ~out' 5 i- 

• The sum of the program size S2 and si is less than or 
equals to fc; 

By definition, size(S2) > l,size( 5 'i) > 1 . Therefore, 
size(s2)-f size(si) < fc-|- 1 — size( 52 ) — size( 5 i) < fc. 

• Value stores cr( and 0-2 agree on values of used variables 
in S2 and si as well as the input sequence variable; 

By Lemma ( 6.91 Use(si) = Use(s2), then Use(s2) 

= Use(si) = Use(s). Similarly, by Lemma 16.91 
Def( 5 i) = Def)^^). For any variable id in Use(si), if 
id is not in Def( 5 i), then the value of id is not changed 
in the execution of S[ and S 2 , (y[{id) = cti (id) = 
02 {id) = a 2 {id). Otherwise, the variable id is de¬ 
fined in the execution of S[ and S'2, by assumption, 
ai{id) = a2{id). The condition holds. 

• Values of , the I/O sequence variable in value stores a[ 
and CT2 are equivalent. 

By assumption. 

By the hypothesis IH, the lemma holds. 

□ 

We list the auxiliary lemmas below. One lemma shows that, if 
there are updates of improved prompt messages between two state¬ 
ment sequences, then there are same set of defined variables and 
used variables in the two statement sequences. The second lemma 
shows that, if there are updates of improved prompt messages be¬ 
tween two loop statements, then the two loop statement terminate 
in the same way, produce the equivalent output sequence, and have 
equivalent computation of defined variables in both the old and up¬ 
dated programs as well as the input sequence variable. 

Lemma 6 . 12 . Let S2 be a statement sequence and S\ where there 
are updates of “improvedprompt messages”, S2~outSi- Then used 
variables in S2 are the same of used variables in S\, Use(Si) — 
Use{S2), defined variables in S2 are the same as used variables in 
S'l, De/(Si) = Def{S2). 

Proof. By induction on the sum of the program size of Si and 
S2. □ 

Lemma 6 . 13 . LetSi = while{S'l} andS2 = while^n2){^) 
{S2} fce two loop statements where all of the following hold: 
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• There are updates of improved prompt messages in S2 com¬ 
pared with S[, S2~oiitSi; 

• Si and S2 have same set of defined variables, 

Def{S[) = Def{S'2) = Def{S): 

• S[ and S2 have same set of used variables, Use{Si) — 
Use{S'2); 

• When started in states where 

■ Value stores agree on values of used variables in both 
S'l and S2 as well as the input sequence variable, \fx G 
Use{S[) U {idi}ym'i{a'i)m2{a2) : a[{x) = a2{x); 

■ Values of the I/O sequence variable in value stores a[, a'2 
are equivalent, av{idio) = o'2(id/o)); 

then Si and S2 terminate in the same way, produce the “equiv¬ 
alent” output sequence, and have equivalent computation of 
defined variables in Sj and S2 as well as the input sequence 
variable, ((S(,mi) =h (S2,m2)) A (Vo: G Def{S) U {idi} : 
(S(,mi) =a; (S2,m2)); 

If Si and S2 start in states mi(loop\, cri),m2{loop^, 02) re¬ 
spectively, with loop counters of Si and S2 not initialized (Si, S2 
have not executed yet), value stores agree on values of used vari¬ 
ables in Si and S2, and there are no program semantic errors, then, 
for any positive integer i, one of the following holds: 

1. Loop counters for Si and S2 are always less than i if any is 
present, '\/m'i{loopl ) m2{loop^ ) : {Si,mi{loop\,(Ji)) A 
{Si,m'i{loop], )),loop], (m) < i,{S2,m2{loop1,(T2)) A 
{S2 ,tn2{loop^ )),loop^ (712) < i. Si and S2 terminate in the 
same way, produce the equivalent output sequence, and have 
equivalent computation of defined variables in both Si and 
S2 and the input sequence variable, (Si, mi) =h (S2,m2) 
andVx G (De/(Si) Pi £>e/(S2)) U {id/} : (Si,mi) =-0, 
(S2, m2),'Si and S2 produce the “equivalent” I/O sequence; 

2 . The loop counter of Si and S2 are of value less than or equal 
to i, and there are no reachable configurations (Si, mi {loop\'- , 
t^u)) (Si,mi(ai)), {S2,m2{loop1\a2i)) from (S2, 
m2(o'2)) where all of the following hold: 

• The loop counters of Si and S2 are of value i, loop]i(ni) 

= loopl^{n2) = i. 

• Value stores ai^ and (T2j agree on values of used variables 
in both Si and S2 as well as the input sequence variable, 

Vi G (l/,se(Si) n ( 7 ie(S 2 )) U {id/} : ai^{x) = a2i(x). 

• Values of the I/O sequence variable in value stores ai. (idio) = 
02i (idio); 

3 . There are reachable configurations (Si,mi{loop]i, aif)) from 
(Si,mi(CTi)), {S2,rn2{loop1f (J2fj) from (S2, m2{a2)) where 
all of the following hold: 

• The loop counter of Si and S2 are of value i, loop]/{ni) 

— loop^f (712) = i. 

• Value stores ai^ and (J2i agree on values of used variables 
in both Si and S2 as well as the input sequence variable, 

Vi G (l! 7 ,se(Si) n (/ie(S 2 )) U {id/} : ai^ (i) = CT 2 i (i)- 

• Values of the I/O sequence variable in value stores ai ^, 02^ 
are equivalent, ai. (id/o) = ( 72 j(id/o),' 

Proof. By induction on i. 

Base case. 

We show that, when i = 1 , one of the followings holds: 

1 . Loop counters for Si and S2 are always less than 1 if any is 
present, Vm'i (loop} ) m2 (loop^ ) : (Si, mi (loop}, ai)) A 
(Si ,m'i(loop} )),loop} (m) < i, (S2,m2(loop},cr2)) A 
(SA tt^2(looPc ))ilooPc (^^2) < A A and S2 terminate in 
the same way, produce the equivalent I/O sequence, and have 


equivalent computation of defined variables in both Si and 
S2 and the input sequence variable, the I/O sequence vari¬ 
able, (Si, mi) =H (S2,m2) and Vi G Def(S) U {id/} : 

(Si,mi) =a: (S2,m2); 

2 . Si and S2 produce the equivalent output sequence and the 
equivalent I/O sequence; 

3 . Loop counters of Si and S2 are of values less than or equal to 1 
but there are no reachable configurations (Si, mi (loop}i, ai.)) 
from (Si, mi(cri)), (S2, m2(loop}i, cr2j) from (S2, m2(CT2)) 
where all of the following hold: 

• The loop counter of Si and S2 are of value 1 , loop}i(ni) 

= loop}i (712) = 1 . 

• Value stores ai^ and a2i agree on values of used variables 
in both Si and S2 as well as the input sequence variable, and 
the I/O sequence variable, Vi G (Use(Si) n Use(S2)) U 
{id/} : crij(l) = (T2 i(i). 

• Values of the I/O sequence variable in value stores crij and 
a2i are equivalent, ai^(id/o) = cr2i(id/o); 

4 . There are reachable configuration (Si, mi(loop}i, cti. )) from 
(Si,mi(cri)), (S2,m2(loop}i,CT2i)) from(S2, m2(cr2)) where 
all of the following hold: 

• The loop counter of Si and S2 are of value 1 , loop}i(ni) 

= loop}i (712) = 1 . 

• Value stores ai^ and (J2i agree on values of used variables 
in both Si and S2 as well as the input sequence variable, and 
the I/O sequence variable, Vi G (Use(Si) O Use(S2)) U 
{id/} : crii(i) = a2i(l). 

• Values of the I/O sequence variable in value stores crij and 
CT2i are equivalent, CTi^(id/o) = cr2^(idio)\ 

By definition, variables used in the predicate expression e of Si 
and S2 are used in Si and S2, Use(e) C Use(Si) O Use(S2). By 
assumption, value stores cri and 02 agree on values of variables in 
Use(e), the predicate expression e evaluates to the same value w.r.t 
value stores cri and 02 by Lemma lP)^ There are three possibilities. 

1 . The evaluation of e crashes, 

S'|e|cri = S'|e|cr 2 = (error, w„f). 

The execution of Si continues as follows: 

(while(„j)(e) {S{},mi(ai)) 

-s-(while(„^) ((error, v^^)) {S}}, mi{ai)) 
by the rule EEvaT 
-s-(while<„j) ( 0 ) {S{}, mi(l/f)) 
by the ECrash rule 

A(while(„^)( 0 ){S{},mi(l/f)) for any i > 0 
by the Crash rule. 

Similarly, the execution of S2 started from the state m2{o2) 
crashes. Therefore Si and S2 terminate in the same way when 
started from mi and m2 respectively. Because ai{idio) = 
o'2(*d/o), the lemma holds. 

2 . The evaluation of e reduces to zero, S^fejai = S'|e|(J2 = 
( 0 ,Uof)- 

The execution of Si continues as follows. 

(while<„j)(e) {S{},mi(ai)) 

= (while(„^)((0,-!;„f)) {S{}, mi(cri)) 
by the rule EEvaT 
-s-(while(„^)( 0 ) {S{},mi(CTi)) 
by the E-Oflowl or E-Oflow 2 rule 
—>'(skip, mi(f 7 i)) by the Wh-E rule. 

Similarly, the execution of S2 gets to the configuration (skip, m2((T2)). 
Loop counters of Si and S2 are less than 1 and value stores 
agree on values of used/defined variables in both Si and S2 
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as well as the input sequence variable and the I/O sequence 
variable. 

3 . The evaluation of e reduces to the same nonzero integer value, 
f'|e|cri = f'|e|cr2 = (v,Vof) where u 7^ 0 . 

Then the execution of Si proceeds as follows: 

(while(„^) (e) {S(}, mi(ai)) 

= (while(„^) ((v, Vaf)) {Si}, mi(cri)) 
by the rule EEvaT 
-s-(while<„j) (u) {Si}, mi(cri)) 
by the E-Oflowl or E-Oflow 2 rule 
-)-(Sl; while<„j)(e) {Sl}, mi(loop^[l/ni], ai)) 
by the Wh-T rule. 

Similarly, the execution of S2 proceeds to the configuration 
(Si; while(„2)(e) {Si}, m2(loop^[1/112], <72)). 

By the assumption, we show that Si and Si terminate in 
the same way and produce the equivalent I/O sequence when 
started in the state mi(loopJ^, cti) and m2(loop^^, (T2) respec¬ 
tively, and Si and Si have equivalent computation of variables 
defined in both statement sequences if both terminate. We need 
to show that all conditions are satisfied for the application of 
the assumption. 

• Values of the I/O sequence variable in value stores ai and 
(72 are equivalent, ai{idio) = ( 72 (*d/o); 

The above two conditions are by assumption. 

• Value stores ai and (72 agree on values of used variables in 
Si and Si as well as the input sequence variable. 

By definition, Use(Sl) C Use(Si). So are the cases to 
Si and S2. In addition, value stores C 7 i and (72 are not 
changed in the evaluation of the predicate expression e. The 
condition holds. 

By assumption. Si and Si terminate in the same way and 
produce the equivalent output sequence when started in states 
mi (loop/, ( 71 ) and m2 (loop/, (72). In addition. Si and Si have 
equivalent computation of variables used or defined in Si and 
Si when started in states mi (loop/, ai) and m2(loopl,, (72). 

Then there are two cases. 

(a) Si and Si both do not terminate and produce the equivalent 
I/O sequence. 

By Lemma IE. 2 I Si; Si and Si; S2 both do not terminate 
and produce the equivalent I/O sequence. 

(b) Si and Si both terminate and have equivalent computation 
of variables defined in Si and Si. 

By assumption, (Si, mi(loopl,, ( 7 i)) —> (skip, mKloop/, ctI)); 
(Sl,m 2 (loopl,,( 72 )) A (skip,ml(loopl,',( 7 l)) where V* G 
(Def(Sl) nDef(Sl)) U {idi},o'^{x) = o'^^x). 

By assumption,Use(Sl) = Use(Sl) and Def(Sl) = 
Def(Sl). Then variables used in the predicate expression 
of Si and S2 are either in variables used or defined in both 
Si and Si or not. Therefore value stores (7I and crl agree 
on values of variables used in the expression e and even 
variables used or defined in Si and S2. 

By assumption. Si and S2 produce the equivalent output 
sequence. 

Induction step on iterations 

The induction hypothesis (IH) is that, when i > 1 , one of the 
following holds: 

1 . Loop counters for Si and S2 are always less than i if any is 
present, Vml(loop} ) ml(loop^ ) : (Si, mi (loop}, ( 7 i)) A 
(Si',m'l(loop} )),loop} (m) < i, (S 2 ,m 2 (loop},( 72 )) A 
(Si', ml(loop} )),loop} (722) < i. Si and S2 terminate in the 
same way, and have equivalent computation of defined variables 


in both Si and S2 and the input sequence variable, (Si, mi) 

=H (S2,m2) and \/x G Def(S) U {idi} : (Si,mi) =x 
(S2, m2); Si and S2 produce the equivalent I/O sequence; 

2 . The loop counter of Si and S2 are of value less than or equal to 

i, and there are no reachable configurations (Si, mi (loop}*, cri^)) 
from (Si,mi(( 7 i)), (S2, m2(loop}% ( 72 ^)) from (S2, m2((72)) 
where all of the following hold: 

• The loop counters of Si and S2 are of value i, loop}* (ni) 

= loop}* (722) = 2. 

• Value stores ai. and CT2i agree on values of used variables 
in both Si and S2 as well as the input sequence variable, 

V* G (Use(Si) n Use(S2)) U {id/} : ai.{x) = fj2i{x). 

• Values of the I/O sequence variable in value stores cri^ and 
(72i, (7li (id/o) = (72i (id/o); 

3 . There are reachable configurations (Si, mi (loop}*, cri^)) from 
(Si, mi (( 71 )), (S2, m2 (loop}*, (72 J) from (S2, m2 (( 72 )) where 
all of the following hold: 

• The loop counter of Si and S2 are of value i, loop}*(ni) 

= loop}* (122) = i. 

• Value stores cri^ and CT2i agree on values of used variables 
in both Si and S2 as well as the input sequence variable, 

Va: G (Use(Si) n Use(S2)) U {id/} : ai.(x) = a2i(x}. 

• Values of the I/O sequence variable in value stores cri^ and 
CT2i are equivalent, cti. (idjo) = < 72 ^ (idio)\ 

Then we show that, when i -|- 1 , one of the following holds: The 
induction hypothesis (IH) is that, when i > 1 , one of the following 
holds: 

1 . Loop counters for Si and S2 are always less than i -|- 1 if any 
is present, Vm'i (loop} ) m2 (loop} ) : (Si, mi (loop}, cti)) A 
(S{', m'l (loop} )),loop} (ni) < i-|-l, (S2, m2(loop}, (72)) A 
(S2', m2(loop} )), loop} (222) < i -I- 1, Si and S2 terminate in 
the same way, produce the equivalent I/O sequence, and have 
equivalent computation of defined variables in both Si and 
S2 and the input sequence variable, (Si,mi) =h [82,1x12) 
and (Si,mi) =0 [82,1112) and V® G (Def(S) U {id/} : 
(Si,mi) =x [82,1112)', Si and 82 produce the “equivalent” 

I/O sequence variable; 

2 . The loop counter of Si and 82 are of value less than or 
equal to i -|- 1 , and there are no reachable configurations 
(Si, mi (loop}*+i, (71 .^J) from (Si, mi (cti )), (S2, m2 (loop}*+i, 
<^2i+i)) from [82, m2[o2)) where all of the following hold: 

• The loop counters of Si and 82 are of value i -|- 1 , 
loop}*+i (m) = loop}*+i (722) = i + 1 . 

• Value stores cti^^j and <J2i^i agree on values of used vari¬ 
ables in both Si and 82 as well as the input sequence vari¬ 
able, V® G (Use(Si) n Use(S2)) U {id/} : cti^_^j (®) = 

CT2,+i(®). 

• Values of the I/O sequence variable in value stores cti^^^ 
and CT2;^i are equivalent, cti^^j^ (id/o) = f 72 ^_,^^ (id/o); 

3 . There are reachable configurations (Si,mi(loop}*+i, cti.)) 
from (Si, mi(CTi)), (S2, m2(loop}*+i, ( 72 ^)) from [82, m2((72)) 
where all of the following hold: 

• The loop counter of Si and 82 are of value i, loop}*+i (721) 

= loop}*+l( 722 ) = i -I- 1. 

• Value stores cti.^^ and agree on values of used vari¬ 

ables in both Si and 82 as well as the input sequence vari¬ 
able, V® G (Use(Si) n Use(S2)) U {id/} : cti^_|^j (®) = 

( 72^+1 (®); 

• Values of the I/O sequence variable in value stores 

and ( 72^+1 are equivalent, = o-2i^i{idio)’, 
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By hypothesis IH, there is no configuration where loop counters 
of and S2 are of value i + 1 when any of the following holds: 

1 . Loop counters for Si and S2 are always less than i if any is 
present, Vm'i(loop^ ) m2(loop^ ) : ( 5 i, mi(loop^, ai)) A 
(S'l',m'i(loopJ )),loopJ (m) < i, (S'2,m2(loop^,(T2)) A 
(S'2^m2(loop^ )),loop^ (712) < i. Si and S2 terminate in 
the same way, produce the equivalent I/O sequence, and have 
equivalent computation of used/defined variables in both Si 
and S2 and the input sequence variable,, the I/O sequence vari¬ 
able, (S'!, mi) =H {S2,m2) and (Si,mi) =0 (S'2,m2) and 
yxe (Def(S'i)nDef(S 2 ))U{id/} : {Si,mi) =, (52,m 2 ); 

5 i and S2 produce , and the I/O sequence variable; 

2 . The loop counter of 5 i and S2 are of value less than or equal to 

i, and there are no reachable configurations ( 5 i, mi (loop);*, cri^)) 
from( 5 i,mi(o-i)), ( 52 , m2(loop)*, a2i)) from ( 52 , m2(o-2)) 
where all of the following hold: 

• The loop counters of 5 i and S2 are of value i, loop)*(ni) 

= loop)* (112) = i. 

• Value stores cri^ and 02^ agree on values of used variables 
in both 5 i and S2 as well as the input sequence variable, 

Vx € (Use( 5 i) n Use( 52 )) U {id/,, id/o} : <xii{x) = 

o' 2 i(x). 

• Values of the I/O sequence variable in value stores cri^ and 
CT2i are equivalent, ( 7 i^{idjo) = (X2i{idio)\ 

When there are reachable configurations ( 5 i, mi (loop)*, ai^)) 
from ( 5 i,mi(o-i)), ( 52 ,m2(loop)*,(T2J) from {S2, m2(o'2)) 
where all of the following hold: 

• The loop counter of 5 i and S2 are of value i, loop)*(ni) 

= loop)* (112) = i. 

• Value stores ai^ and <72^ agree on values of used variables 
in both 5 i and S2 as well as the input sequence variable, 
Vx £ (Use( 5 i) n Use( 52 )) U {id/} : cti^ (x) = a2i (x). 

• Values of the I/O sequence variable in value stores cri^ and 02^ 
are equivalent, ai^{idio) = (X2i{idio)\ 

By similar argument in base case, we have one of the following 
holds: 

1 . Loop counters for Si and S2 are always less than i -|- 1 if any 
is present, Vm'i (loop) )m2(loop) ) : ( 5 i, mi (loop), cti)) A 
( 5 i ,m'i(loop) )),loop) (m) < i+ 1 , ( 52 ,m 2 (loop),CT 2 )) A 
( 52 ,m 2 (loop) )),loop) (712) < i. Si and S2 terminate in 
the same way, produce the equivalent I/O sequence, and have 
equivalent computation of defined variables in both 5 i and S2 
and the input sequence variable, ( 5 i,mi) =h ( 52 , m2) and 
Vx G (Def( 5 )) U {id/} : ( 5 i,mi)=a: ( 52 ,m2); 

2 . The loop counter of 5 i and S2 are of value less than or 
equal to i + 1 , and there are no reachable configurations 
( 5 i, mi (loop)*, (Ti J) from ( 5 i, mi (ai)), ( 52 , m2 (loop)*, 0-2;)) 
from ( 52 , m2 (£12)) where all of the following hold: 

• The loop counters of 5 i and S2 are of value i, loop)*+^ {ni) 

= loop)*+i (7/2) = i + 1 . 

• Value stores and o'2i+i agree on values of used vari¬ 

ables in both 5 i and S2 as well as the input sequence vari¬ 
able, Vx £ (Use( 5 i) n Use( 52 )) U {id/} : o'ii+i(x) = 

c* 2 i+i(x). 

• Values of the I/O sequence variable in value stores (Jij_^i 
and (T2i+i are equivalent, (idio) = £’’2^+1 {idio)\ 

3 . There are reachable configurations ( 5 i, mi(loop)*+*, )) 

from ( 5 i,mi(ai)), ( 52 , m2(loop)*+*, 0-2^+!)) from ( 52 , 
m2 (( 72 )) where all of the following hold: 


1 : 


1 ’: 

6 := 2 

2 : 

If (a > 0) then 

2 ’: 

If (a > 0) then 

3: 

b := c + 1 

3’: 

b := c + 1 

4: 

output 6 + c 

4’: 

output b c 


old 


new 


Figure 18: Missing initialization 


• The loop counter of Si and S2 are of value i, loop)*+i (t/i) 
= loop)*+i(7i2) = i. 

• The loop counter of Si and S2 are of value i, loop)*+i (, ni ) 
= loop)*+l(,7l2) = i. 

• Value stores and (J 2 i^^i agree on values of used vari¬ 

ables in both 5i and S2 as well as the input sequence vari¬ 
able, Vx £ (Use(5i) n Use(52)) U {id/} : (x) = 

(72i+i(x); 

• Values of the I/O sequence variable in value stores 
and (72;^i are equivalent, (7ij_,.i (id/o) = £’’ 2^+1 (id/o); 

□ 


6.6 Proof rule for missing variable initializations 

A kind of bugfix we call missing-initialization includes variable 
initialization for those in the imported variables relative to the I/O 
sequence variable in the old program. Figure [Tsl shows an exam¬ 
ple of missing-initializations. The initialization 6 := 2 ensures the 
value used in “output b -f c” is not to be undefined. In general, new 
variable initializations only affect rare buggy executions of the old 
program, where there are uses of undefined imported variables rel¬ 
ative to the I/O sequence variable in the program. Because DSU 
is not starting in error state, we assume that, in the proof of back¬ 
ward compatibility, there are no uses of variables with undefined 
variables in executions of the old program. 

The following is the definition of the update class “missing 
initializations”. 

Definition 32. (Missing initializations) A statement sequence S2 
includes updates of missing initializations compared with a state¬ 
ment sequence Si, written 52 ~mu5i, iff S2 = 5 /„„; 5 i where Shut 
is a sequence of assignment statements of form “Ival := v” and 
Def{Sinii) C Imp{Si,{idio}): 

Though the bugfix in the update of missing initializations are 
not in rare execution in the first case in Definition]^ the definition 
shows the basic form of bugfix clearly. 

We show that two statement sequences terminate in the same 
way, produce the same output sequence, and have equivalent com¬ 
putation of defined variables in both programs in valid executions 
if there are updates of missing initializations between them. 

Lemma 6.14. Let Si and S2 be two statement sequences respec¬ 
tively where there are updates of “missing initializations” in S2 
compared with Si, 52~ta-,5i. If Si and S2 start in states mi{ai) 
and m2(i72) respectively such that both of the following hold: 

• Value stores ai and 02 agree on values of variables used in both 
Si and S2 as well as the input sequence variable and the I/O 
sequence variable, Mid £ {Use{Si)(MJse{S2))yj{idi,idio} ■ 

(71 (id) = (72 (id); 

• defined variables in Sinu are of undefined value in value stores 
£71,(72, Vid £ Def{Simt) : (7i(id) = (72 (id) = I/d/|r| where 
r is the type of the variable id; 

• There are no use of variables with undefined values in the 
execution of Si; 

• There are no crash in execution of Shut; 
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then Si and S2 terminate in the same way, produce the same output 
sequence, and when Si and S2 both terminate, they have equivalent 
computation of used variables and defined variables in both Si and 
S2 as well as the input sequence variable and the I/O sequence 
variable, 

• {Si, mi) =H (52,m 2 ); 

• (5i,mi) =0 (52,m 2 ); 

• Va; e {Def{Si) U Def{S2)) U {idi,idio} ■ {Si,mi) =2, 
(52, m 2 ); 

Proof. By induction on the sum of the program size of Si and S2, 
size(5i) + size(52). 

Base case. 5i = s and S2 = 5init; s where 5init = “Ival := v” 
and Def(iwaZ) G Use(s); 

There are cases regarding Ival in 5init. 

1 . Ival = id. 

Then the execution of S2 proceeds as follows. 

{id := v; s, m2{a2)) 

->-(skip; s,m2{a2[v/{id)])) 
by the rule As-Scl 

-^{s,m2{a2[v/{id)])) by the rule Seq. 

By assumption, id G Use(e). By assumption, the value of id 
is undefined in value store ai . Then there is no valid execution 
of 5i. Then it holds that, in valid executions of 5i, 5i and S2 
terminate in the same way, produce the same output sequence, 
and have equivalent computation of defined variables in both 
5i and S2. Then this lemma holds. 

2 . Ival = id[n]. 

Then the execution of S2 proceeds as follows. 

(id[n] '.= v,s,m 2 {a 2 )) 

—t'(skip; s, m2{o2[v/{id, n)])) 
by the rule As-Err 

-^{s,m2{<J2[v / {id, n)])) by the rule Seq. 

By similar argument above, this lemma holds. 

3 . Ival = idi [id2]. 

Then the execution of S2 proceeds as follows. 

{idi[id2] := v;s,m2{a2)) 

-^•(idifui] := V, s,m2{a2[v/{id,n)])) 
by the rule Var 

—>'(skip; s, m2{(J2[v/{id, wi)])) by the rule As-Arr. 
-^{s,m2{a2[v/{id, ui)])) by the rule Seq. 


By similar argument above, this lemma holds. 

Induction step. 

The hypothesis is that this lemma holds when the sum k of the 
program size of 5i and S 2 are great than or equal to 3, fc > 3. 

We then show that this lemma holds when the sum of the 
program size of 5i and 52 is fc + 1. 

S 2 = 5init; 5i where 5iiiit is a sequence of assignment state¬ 
ments and Def(5iiiit) G Imp(5i, {id/o}); 

The proof is similar to that in the base case. By assump¬ 
tion, the execution of 5iiiit does not crash, (5iiiit,m 2 (cr 2 )) A 
(skip,m 2 (cr 2 )) where (72 = cf 2 [vi/xi\...[vk/xk] and VI < i < 
k : Xk € Def(5init). 

By assumption, there are no use of variables with undefined 
values in the execution of 5i by Theorem and Theorem |4] this 
lemma holds. □ 


7. Related Work 

We discuss related work on DSU safety and program equivalence 
in order. 

Existing studies on DSU safety could be roughly divided into 
high level studies and low level ones. There are a few studies on 
high level DSU safety. In jT^], Kramer and Magee defined the DSU 
correctness that the updated system shall “operate as normal instead 
of progressing to an error state”. This is covered by our require¬ 
ment that hybrid executions conform to the old program’s specifi¬ 
cation and our accommodation for bug fixes. Moreover, our back¬ 
ward compatibility includes EO behavior, which is more concrete 
than the behavior in Ca. In d, Bloom and Day proposed a DSU 
correctness which allows functionality extension that could not pro¬ 
duce past behavior. This is probably because Bloom and Day con¬ 
sidered updated environment. On the contrary, we assume that the 
environment is not updated. In addition, we explicitly present the 
error state, which is not mentioned in d- Panzica La Manna 
presented a high level correctness only considering scenario-based 
specifications for controller systems instead of general programs. 

There are also studies on low level DSU safety. Hayden et 
al.Cl discussed DSU correctness and concluded that there is only 
client-oriented correctness. Zhang et al. (3^ asked the developers 
to ensure DSU correctness. Magill et al. 1241 did ad-hoc program 
correlation without definitions of any correctness. We consider 
that there is general principle of DSU safety. The difference lies 
at the abstraction of the program behavior. We model program 
behavior by concrete I/O while others Clllllll consider a 
general program behavior. 

We next discuss existing work on program equivalence. There is 
a rich literature on program equivalence and we compare our work 
only with most related work. Our study of program equivalence is 
inspired by original work of Horwitz et al. IITII on program depen¬ 
dence graphs, but we take a much more formal approach and we 
consider terminating as well as non-terminating programs with re¬ 
curring I/O. In [ij], Godlin and Strichman have a structured study 
of program equivalence similar to that of ours. Godlin and Strich¬ 
man I13n restricted the equivalence to corresponding functions and 
therefore weakens the applicability to general transformations af¬ 
fecting loops such as loop fission, loop fusion and loop invariant 
code motion. However, our program equivalence allows loop op¬ 
timizations such as loop fusion and loop fission. Furthermore, our 
syntactic conditions imply more program point mapping because 
we allow corresponding program point in arbitrary nested state¬ 
ments and in the middle of program that does not include function 
call. 

8. Conclusion 

In this paper, we propose a formal and practical general definition 
of DSU correction based on I/O sequences, backward compatibil¬ 
ity. We devised a formal language and adapt the general defini¬ 
tion of DSU correctness for executable programs based on our lan¬ 
guage. Based on the adapted backward compatibility, we proposed 
syntactic conditions that help guarantee correct DSUs for both ter¬ 
minating and nonterminating executions. In addition, we formalize 
typical program updates that are provably backward compatible, 
covering both new feature and bugfix. 

In the future, we plan to identify more backward compatible up¬ 
date patterns by studying more open source programs. Though it is 
dubious if open source programs’ evolution history includes typi¬ 
cal update patterns, open source programs are the most important 
source of widely-used programs for our study of DSU. In addition, 
we plan to develop an algorithm for automatic state mapping based 
on our syntactic condition of program equivalence and definition of 
update classes. 
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A. Type system 

Figure [T^ shows an almost standard unsound and incomplete type 
system. The type system is unsound because of three reasons, (a) 
the possible value mismatch due to the subtype rule from hte type 
Int to Long, (b) the implicit subtype between enumeration types 
and the type Long allowed by our semantics and (c) the possible 
array index out of bound. The type system is incomplete due to the 
parameterized “other” expressions. The notation DomfT) borrowed 
from Cardelli m in rules Tvarl, Tvar2, Tlabels an Tfundecl refers 
to the domain of the typing environment T, which are identifiers 
bound to a type in T. 

B. Syntactic definitions 

The syntax-directed definitions listed below make our argument 
independent of existing program analysis partially. 

Definition 33. (Idx(Zi;al)) The used variables in index of a left 
value Ival, written Idxfval), are listed as follows: 

1 . Idx{id) = 0 ; 

2 . Idx{id[n\) = 0; 

3 . Idx{idi[id2\) = {id2}: 

Definition 34. (Base(lual)) The base of a left value Ival, written 
Baseilval), is listed as follows: 

1 . Base{id) = {id}; 

2 . Base{id[n]) = {id}; 

3 . Base{idi[id2]) = {idi}; 

Definition 35. (Use(e)) The set of used variables in an expression 
e, written Use{e), are listed as follows: 

1 . Uselfval) = Baseilval) U Idx{lval); 

2 . Useiid == 1 ) — {id}; 

3 . Use{other) = Useiother) where function Use : other -A {id} 
is parameterized; 

Definition 36. (Use(S')) The used variables in a sequence of state¬ 
ments S, written Use{S), are listed as follows; 

1 . Useiskip) = 0 ; 

2. Usefyal := e) = Useie) U Idxilval); 

3 . Use{output e) = Use{e) U {idio}; 

4 . Use{input id) = {idi,idio}; 

5 . Use{If{e) then {S'*} else {S'/}) = Use{e)VJUse{St)GiUse{Sf); 

6 . Use{while(n){e){S'}) = Use{e) U Use{S'); 
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r h o 

Unit- 

r h o 


• r' 


(Tvarl) 

r I- o 

V — V', T id id ^ Dom(r) 
T. id : T \- o 

(Tprompt) 

Pmpt — {/i : ni, . 


r h o 

■ ,lk ■ rik} 


(Tlabels) 

rho A;>1 id ^ Dom(r) 
EN — EN', enum id{li , /fc} 

T', id : {^1, 1“ o 

pmpt ^ Dom(r) 


r, pmpt : {/i : ni, . 

(Tvar2) 

rho id ^ Dom(r) 

V — V' ,T id[n] n > 0 


,h : nfe} h O 


r,2d 

: array(r, n) h 0 


r h T 

(Tint) 


(Tlong) 

(Tenum) 

rho 


r h o 

r h id : {h, ...,lk} 

r h Int 

r h Long 

r h enum id 

The 

r 




(Topnd) 


T, id : T \- id : T 
(Tarrayl) 

r h id : array(T, n) 
r h id' : Long 
r h id[id'] : r 


(Tequiv) 

r h id' : {/i, ...,/fc} 

r h id : enum id' 
r h (id —— 1) : Long 

{Tarray2) 

r h id : aiTay(T, n) 

1 < A: < n 
r h id[A:] : r 


r h 5 


(Tassign) 

r h Ival : 

r h e : ' 


r h Ival ( 


(Tinput) 

r h id : r 
T 7^ pmpt 
r h input id 


(Toutput) 


The: 


(TSub) 


r h. 


: Int 


The: Long 


r h output e 


(Tseq) 

r h Si 
r h S 2 

r h Si;S2 


Definition 38 . (s S) We say a statement s is in a sequence of 
statements S of a program P, written s G S, if one of the following 
holds: 

1 . S = s; 

2 . If S - ‘'If(e) then {St} else {Sf}”, {s G St) V {s G Sf); 

3 . If S = “while(e) { 5 '^}”, s G S'; 

4 . For k > 0, if S = si;s^+i, (s G s^+i) V (s G 
si; Sfc); 

We write s ^ S if s € S does not hold. 

We show the definition of program size, which is based of our 
induction proof. 

Definition 39 . {size{S)) The program size of a statement sequence 

5. written size{S), is listed as follows: 

1 . size{‘^skip") = size{“id := e”) = size{‘Hdi := callid2{e*)”) 
= size{“input id”) = size{“output e”) = 1 ; 

2 . size(‘Tf(e) then {S'*} else {S/}”) = 1 + size(St) + size(Sf); 

3 . size{‘^while{e){S'}”) = l + «ze( 5 "); 

k 

4. Fork > 0 , size{s \\...; Sk = size(si); 

i=l 

C. Properties of imported variables 

Lemma C.l. Imp{S\-,S2,X) = lmp{Si,Imp{S2,X)). 

Proof. Let statement sequence S2 = s\ \ S2', ■■■', Sk for some k > 0. 
The proof is by induction on k. □ 

Corollary C.l. Vi G I.+ ,lmp{S^+\X) = lmp{S,Imp{S\X)). 
This is by lemma lUTI 

Lemma C. 2 . Imp{S, Au B) = Imp{S, . 4 ) U Imp{S, B). 

Proof. By structural induction on abstract syntax of statement se¬ 
quence S. □ 


(Tif) (Twhile) 

The: Long 

r h Si r h S 2 The: Long, T h S 

r h If(e) then {Si} else {S 2 } Lh while(e){S} 


r h p 

(Tprog) 

Pmpt — {h : ni, ■ rik} 

EN — enumidi {li, enumidfc{/{, ..., 

r h enum idi V’ = t{ id^, id'f^ [n] 

r h id'- ' t'j , 1 < j < k' — 1 r h idjj. : array(r(., n) 
r h Sentry 

r h Pmpt] EN] V] Sentry 


Figure 19: Typing rules 


7. For k > 0 , l/se(si;...; Sk+i) = Bse(si ;...; Sfc) U (/se(sk+i); 

Definition 37. (Def(5')) The defined variables in a sequence of 
statements S, written Def{S), are listed as follows: 

1. Def{skip) = 0 ; 

2 . Deflfd := e) = {id}; 

3 . Def{input id) = {idi,idio,id}; 

4 . Def{output e) = {idio}; 

5 . Def{If{e) then {St} else (S/j) = Def{St) U Def{Sf); 

6 . Def{while(„){e){S}) =Def{S); 

7 . For k> 0 , De/(si;...; Sk+i) = Def{si \...; Sk) U Def{sk+i): 


Lemma C.3. For statement s = “while(e){S}” and a set of finite 
number of variables X such that X n Def (i) 0 , there is f 3 > 0 

such that Uo<i< Imp {S\X) C lmp{S^,X). 

Proof. By contradiction against the fact that is finite number of 
variables redefined in statement s. □ 

D. Properties of expression evaluation 

We wrap the two properties of expression evaluation, which is 
based on the two properties of “other” expression evaluation. In 
the following, we use the notation S' to expand the domain of the 
expression meaning function S' : e —>■ cr —^ (uerror, (0, 1}). 

Lemma D.l. If every variable in Use{e) of an expression e has 
the same value w.r.t two value stores, the expression e evaluates to 
same value against the two value stores, {\fx G Use{e) : cri(a;) = 
(^2{x)) ^ (S'lelcTi = S'le\a2). 

Proof. The proof is a case analysis of the expression e. 

1 . e = Ival', 

There are further cases regarding Ival. 

(a) Ival = id'. 

By definition, Use(e) = {id}. Besides, there is no integer 
overflow in both evaluations. The lemma holds trivially. 

(b) Ival = id[n]'. 

By definition, Use(e) = {id}. Because the array has fixed 
size, by assumption, cri {id, n) = (T 2 {id, n) or {id, n, *) ^ 
(Ti, {id, n, *) ^02. Besides, there is no integer overflow in 
both evaluations. The lemma holds. 
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(c) Ival = id\ [id2\\ 

By definition, Use(e) = {idi, 1^2}• By assumption, ai(id2) = 
(72(1^2) = n By similar argument to the case Ival = id[n], 
the lemma holds. 

2 . e= “id == i”; 

By definition, Use(e) = {id}. W.l.o.g, id is a global variable. 

By assumption, ai{id) = a2{id) — I'. If I' = I, by rule 
Eq-T, (I' == l,m(o-)) (l,m). If I' 7^ I, by rule Eq- 

F, {I' == l,m{a)) —^ ( 0 ,m). Besides, there is no integer 
overflow in both evaluations. The lemma holds. 

3 . e = other; 

By definition, Use(e) = Use(e). By assumption, Va; € 
Use(e) : o'i(a;) = 0-2(3^) V (ti(x) = (72(2:). The lemma holds 
by parameterized expression meaning function for “other” ex¬ 
pression. 

□ 

Lemma D. 2 . If every variable in Err{e) of an expression e has 
same value w.r.t two pairs of (block, value store), Mx G Err{e) : 

(71 (x) = (72 (x) then one of the following holds: 

1 . the expression evaluates to crash against the two value stores, 
(f'[ej( 7 i = {error, Voj)) A (f'|[e |(72 = {error, Vof)); 

2 . the expression evaluates to no crash against the two pairs of 
(block, value store) (£i'[el|( 7 i f {error, vl^)) A (£i'|[e |(72 f 
{error, u^f)). 

Proof. The proof is a case analysis of the expression e. 

1 . e = Ival', 

There are further cases regarding Ival. 

(a) Ival = id'. 

By definition, Err(e) = Idx(e) = 0 . By our semantic, the 
evaluation of id never crash. Besides, there is no integer 
overflow in both evaluations. The lemma holds. 

(b) Ival = id[n]; 

By definition, Err(e) = Idx(e) = 0 . Because the array idi 
has a fixed array size, by assumption, either ((idi, n, Vi) € 

C7i) A {{idi,n,V2) G (72) or {{idi,n,v\) ^ ai) A 

{{idi,n, V2) (J2). Besides, there is no integer overflow in 

both evaluations. The lemma holds. 

(c) Ival = idi [id2] 

By definition, Err(e) = Idx(e) = {id2}. By assumption, 
< 7 i(id 2 ) = o'2{id2) = n or ai{id2) = o'2{id2) = n. By 
similar argument to the case Ival = id[n], the lemma holds. 

2 . e= “id == Z”; 

By definition, Err(e) = 0 . W.l.o.g, id is a global variable. 

Let (Ti(id) = h,G2{id) = I2. W.l.o.g., Zi = I and I2 -f I, 
by rule Eq-T, {h == l,m{a)) —>■ (l,m) and, by rule Eq- 
F, {I2 == l,m{a)) —>■ ( 0 ,m). Besides, there is no integer 
overflow in both evaluations. The lemma holds. 

3 . e = other; 

By definition, Err(e) = Err(e). By assumption, Vx G Err(e) : 

(71 (x) = (72 (x). The lemma holds by the property of parame¬ 
terized expression meaning function for “other” expression. 

□ 

With respect to Lemma lPTI and Lemma lD^ we extend seman¬ 
tic rule for expression evaluation as follows. 

E. Properties of remaining execution 

We assume that crash flag f = 0 in given execution state m(f). 

LemmaE.l. {Si,m) —>• {S[,m') ^ (Si; S2,m) —^ (S{; S2,m'). 


{r, m) (r'j m') 


: e -l (T -1 (Verrot X {0, 1}) 


(e, m(f, cr)) ->■ (f'[e](T, m) 


Figure 20: An extended SOS rule for expressions 


Proof. The proof is by structural induction on abstract syntax of 
Si. 

Case 1. Si = “skip”. 

By rule Seq, {skip-, 82,1x1) —^ {82,1x1) where m = m'. 

Case 2. Si = “id:=e”. 

There are two subcases. 

Case 2.1. (e, m) {v, m) for some value v. 

By rule Assign, 

{id := v,m) —>■ (skip, m((j[w/x])). 

Then, by contextual (semantic) rule, 

{id := v; 82,111) —^ (skip; 82, m{a[v/x])). 

Case 2.2. (e, m) A (e', m(l/f)) for some expression e'. 
Then, by rule crash, 

{id '.= e' , m(l/f)) {id := e! , m(l/f)). 

Then, by contextual rule, 

{id := e'; S 2 , m(l/f)) ->■ {id ■= e'; S 2 , m(l/f)). 

Case 3. Si= “output e” 

Case 4. Si= “input id” 

By similar argument in Case 2, the lemma holds for case 3 and 

4. 

Case 5. Si= “If (e) then {St} else {S/}”. 

Case 5.1. W.l.o.g., expression e in predicate of Si evaluates to 
nonzero in state m, written (e, m) A (0, m). 

By rule If-T, (If (0) then {St} else {S/}, m) —>■ (St, m). 

By contextual (semantic) rule, 

(If (0) then {St} else {S/}; 82,111) —>■ (St; 82,111). 

Case 5.2. Evaluation of expression e in predicate of Si crashes, 
written (e,m) A {e',m{l/{)). 

Then, by rule crash, 

(If (e') then {St} else {S/}, m(l/f)) —>■ 

(If (e') then {St} else {S/}, m(l/f)). 

Then, by contextual rule, 

(If (e') then {St} else {S/}; S 2 , m(l/f)) —>• 

(If (e') then {St} else {S/}; S 2 ,m(l/f)). 

Case 6 . Si = “while(„) (e) {S}”. 

Case 6.1 When expression e in predicate of Si evaluates to 
nonzero value, written (e, m) A {v, m) for some x 7^ 0, then, by 
rule Wh-T, 

(while(„) (e){S},m) (S;while(„) (e){S},m(mc[(fc-|- 
l)/n])) for some nonnegative integer k. 

Then, by contextual rule, 

(while(„) (e) {S};S 2 ,m) ->■ 

(S; while (e) {S}; S 2 ,m(mc[(fc -f l)/n])). 

Case 6.2 When expression e in predicate of Si evaluates to 
zero, written (e, m) A (0, m), then, by rule Wh-F, 

(while(„) (e){S},m) —>• (skip, m(mc[0/n])). 

By contextual rule, 

(while(„) (e) {S};S 2 ,m) ->• (skip; S 2 , m(mc[0/n])). 

Case 6.3 Evaluation of expression e in predicate of Si crashes, 
written (e,m) A {e',m). 

By rule crash, 

(while(„) (e'){S},m(l/f)) -s- (while(„) (e'){S},m(l/f)). 
Then, by contextual rule, 
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(while(„) (e'){S'};S'2,m(l/f)) -s- 

(while(„) {e){S}-,S2,m{l/f)). □ 

LemmaE.2. (Si, m) A => (Si; S2, m) A (S(; S2, m'). 

k 

Proof. By induction on number of steps k in execution (Si, m) 

Base case. k = 0 and 1 . 

By definition, 

(Si, m) A (Si, m), and (Si; S2, m) A (Si; 82,01). 

By lemma lEm 

(Si,m) —>• {S[,m') ^ {Si; 82,01) —>■ (S(;S2,m'). 

Induction step. 

The induction hypothesis IH is that, for A: > 1 , 

(Si,m) A (S(,m') (Si;S2,m) A (S(;S2,m'). 

Then we show that, 

(Si, m) (S(, m') (Si; 82,01) (S(; 82,01). 

We decompose the k +1 step execution into 

(Si,m)^(S(',m")A(S(,m'). 

By lemma lETI 

(Si;S2,m) ^ (S(';S2,m"). 

Next, hy IH, 

(S(';S2,m") A(S(;S2,m'). □ 

Corollary E.l. {Si, 01) A {skip, 01') => {Si; 82,01) A 
(S2, m'). 

Proof. By lemma IE(^ 

(Si, m) A (skip, m') (Si; 82,01) A (skip; S2, 01). 

Then, hy rule Seq, 

(skip; S2, m') (S2, m'). □ 

Lemma E.3. If one statement s is not in 8, then, after one step 
of execution {8,01) —^ {S' ,01), s is not in the S', (s ^ S) A 
{{S,oi)^{S',oi'))^{s^S'). 

Proof. By induction on abstract syntax of S. □ 

Lemma E.4. If one statement s is not in 8, then, after the execution 
{S,m) A {S', 01'), s is not in the S', (s ^ S) A {{S,m) A 
(S',m'))^(s^S'). 

Proof. By induction on the numher k of the steps in the execution 

(S,m) A (S',m'). □ 

Lemma E.5. If a variable x is not defined in a statement sequence 
8, then, after one step execution of 8, the value ofx is not redefined, 
{x i Def{S)) A ((S, m{a)) (S', oi'{a'))) ^ {x ^ Def{S')) A 

{a'{x) = a{x)) 

Proof. By structural induction on abstract syntax of statement se¬ 
quence S, we show the lemma holds. 

Case 1. S = “id := e”. 

By definition, Def(S) = {id}. Then id 7^ a; by condition that 
X i Def (S). 

Then there are two subcases. 

Case 1.1 Expression e evaluates to some value v, written 
(e, m) A {v, m). 

Then, by rule Assign, {S,m{a)) —>■ (skip, m((j[w/id])) where 
01' = m(cr[ii/id]). 

Hence, cr'{x) = a{x). Besides, x ^ Def (skip) hy definition. 
Case 1.2 Evaluation of expression e crashes, written (e, m) A 
(e',m(l/f)). 

Then, hy rule crash. 


{id := e',m{l/f, a)) —>■ {id ;= e', m(l/f, cr)) where m' = 
m(l/f,o-). 

Hence, o'{x) = a{x). Besides, x ^ Def(id := e') by defini¬ 
tion. 

Case 2 . 8 = “ output e”. 

Case 3. S = “ input id”. 

By similar argument in case 1. 

Case 4. 8 = “If (e) then {St} else {S'/}”. 

Def {8) = Def (S/) U Def {St) by definition. Then x ^ 

Def (S/) U Def (St). 

There are two subcases. 

Case 4.1 W.l.o.g., expression e in predicate of S evaluates to 
nonzero value, written (e, m) —>■ {v, m) where n 7 ^ 0 . 

Then by rule If-T, (If {v) then {St} else {S/},m((T)) —>■ {St,m{cr)) 
where m' = m. 

Therefore, cr'(a:) = a{x). By argument above, x Def (St). 

Case 4.2 Evaluation of expression e in predicate of S crashes, 
written (e,m) A (e',m(l/f)). 

Then, hy rule crash, 

(If (e') then {St} else {S/}, m,(l/f, a)) —>• 

(If (e') then {St} else {S/},m(l/f, cr)) where m' = m( 1 /f, cr). 

Therefore, o-'{x) = cr(a:). 

Besides, x ^ Def (If (e') then {St} else {S/}) = Def (S/) U 
Def (St). 

Case 5. S = “while(„) (e) {S'}”. 

Def (S) = Def (S') by definition. Then x ^ Def (S') by 
condition x Def (S). 

There are subcases. 

Case 5.1 Expression e evaluates to nonzero value, written 
(e, 01) A {v, m) where u 7 ^ 0 . 

By rule Wh-T, (while(„) {v) {S'},m{a)) —>■ 

(S';while(„) (e) {S'}, m(mc[(fc -|- l)/n]),cr) for some non¬ 
negative integer k. 

Let m' = m{mc[{k + l)/n], cr). Then a-'{x) = a{x). 

Besides, x ^ Def (S'; while^^) (e) {S'}) = Def (S') U 
Def (S), because x ft Def (S'). 

Case 5.2 Expression e evaluates to zero in state m, written 
(e,m) A ( 0 ,m). 

By rule Wh-F, 

(while(„) (0) {S'},m(cr)) —>• (skip, m(mc[0/n], cr)) where 
01' = m(mc[ 0 /n], cr). 

Therefore, cr'(®) = a{x). Besides, x ^ Def (skip). 

Case 5.3 Evaluation of expression e crashes, written (e, m) A 
(e',m(l/f)). 

By rule crash 

(while<„) (e') {S'}, m(l/f, cr)) ->■ 

(while(„) (e') {S'}, m(l/f, cr)) where m' = m(l/f, cr). 

Therefore, cr'(a;) = cr(a;). Besides, a; ^ Def(while(„) (e') {S'}) 

= Def (S') by definition. 

Case 6. S = Si;S 2 . 

By argument in Case 1 to 5, after one step execution ((Si, m(cr)) —>• 
(S', m'(cr))), a'{x) = a-{x). 

By contextual rule, the lemma holds. 

□ 


Corollary E.2. If a variable x is not defined in a statement se¬ 
quence 8, then, after an execution of 8, the value of x is not re¬ 
defined, {x ^ Def{S) A {S,m{a)) A {S',m'{a')) ^ {x ^ 
Def{S')) Aa'{x) = cr(a;)). 


Proof. Let {S,m) A {S',m'). The proof is hy induction on k 
using lemma IE 31 □ 
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Based on Corollary IE.21 we extend the result to array variable 
elements. 

Corollary E.3. If an element in an array variable x[i] is not de¬ 
fined in a statement sequence S in a program P = EN’, V ; Sentry, 
then, after an execution of S, the value of x [i] is not redefined, 
{x ^ Def{S)) A ((a;,*,*) £ a) A {S,m{a)) A {S',m'{a')) 

(x ^ Def{S')) A a'{x,i) = cr{x,i)). 

Lemma E.6. If all of the following hold: 

1. There is no loop of label n in statements S, “while (n)ie){S'y' ^ 
S: 

2. The crash flag is not set, j = 0 ; 

3 . There is an entry n in loop counter, (n, *) G loop^; 

4. There is one step execution, {S,m{j,loopf)) —>■ {S',m'{loop'f)); 

then, loop'^{n) = loop^{n). 

Proof. The proof is by induction on abstract syntax of 5, similar to 
that for lemma lE31 □ 

Corollary E.4. If all of the following hold: 

1. There is no loop of label n in statements S, ^ 

S; 

2. The crash flag is not set, f = 0 ; 

3 . There is an entry n in loop counter, {n, *) £ loop^; 

4. There is multiple steps execution of stack depth d = 0, 
{S,m{f,loopJ) A {S', m'{loop'J); 

then, loop'^{n) = loop^{n). 

Lemma E.7. If all of the following hold: 

1. A non-skip statement s is not in S, {s skip) A (s ^ S); 

2. There is one step execution of stack depth d — Q, {S,m) 
{S',m'), 

then, s (f: S'. 

Proof. By structural induction on abstract syntax of statement se¬ 
quence S, we show the lemma holds. 

Case 1. S' = “id := e”. 

Then there are two subcases. 

Case 1.1 Expression e evaluates to some value v, written 
(e, m) A {v, m). 

Then, by rule Assign, {S,m) —(skip, m((T[u/ici])). 

Hence, s ^ skip by definition. 

Case 1.2 Evaluation of expression e crashes, written (e, m) —>■ 
(e',m(l/f)). 

By parameterized type rule TExpr, T [/ e'. Then, by type rule 
TAssign, V \f id ■.= e!. 

Then, by rule crash, 

{id := e',m{l/f)) —>■ {id := e',m(l/f)). 

Because T h s, then s id ~ e!. Hence, s ^ id := e! by 
definition. 

Case 2. S = “ output e”. 

Case 3. S = “ input id’. 

By similar argument in case 1. 

Case 4. S= “If (e) then {St} else {S/}”. 
s ^ Sf, s ^ St hy definition. There are two subcases. 

Case 4.1 W.l.o.g., expression e in predicate of S evaluates to 
nonzero value, written (e, m) A {v, m) where u 7^ 0. 

Then by rule If-T, (If {v) then {St} else {S'/}, m) —^ (St, m). 
Therefore, s ^ St. 

Case 4.2 Evaluation of expression e in predicate of S crashes, 
written (e, m) A (e', m(l/f)). 

Then, by rule crash. 


(If (e') then {St} else {S/}, m(l/f)) —>• 

(If (e') then {St} else {S/}, m(l/f)). 

By parameterized type rule TExpr, T \f e!. By type rule Tif, 
r^If (e') then {St} else {S/}. 

Because T h s, then s 7^ If (e') then {St} else {S/}. 

Besides, s ^ St,s ^ S/ by condition. Therefore, s ^ 
If (e') then {St} else {S/}. 

Case 5 . S = “while(„) (e) {S'}”, 
s ^ S' by definition. There are subcases. 

Case 5.1 Expression e evaluates to nonzero value, written 
(e, m) A {v, m) where u 7^ 0. 

ByruleWh-T, (while(„) {v) {S'},m) —>■ 

(S';while^„) (e) {S'}, m(mc[(fc + l)/n])) for some nonneg¬ 
ative integer k. 

Then s ^ S';while^„) (e) {S'} by definition. 

Case 5.2 Expression e evaluates to zero in state m, written 
(e, m) A (0, m). 

By rule Wh-F, 

(while^n) ( 0 ) {S'},m) {skip,m{rac[ 0 /n])). 

Therefore, s ^ skip. 

Case 5.3 Evaluation of expression e crashes, written (e, m) 
(e',m(l/f)). 

By rule crash, 

(while(„) (e') {S'},m(l/f)) ->■ 

(while(„) (e') {S'}, m(l/f)). 

Then, by type rule Twhile, T (/ while(„) (e') {S'}. Because 
r h s, then s -f while(„) (e') {S'}. 

Besides s ^ S', then s ^ while(„) (e') {S'} by definition. 
Case 6. S = Si;S2. 

By argument in Case 1 to 5 , after one step execution (Si, m) — >■ 
{S',m'),si S'. 

By contextual rule, (Si; S2, m) (S'; S2, m'). 

By definition, s ^ S2. 

Then, by definition, s ^ S'; S2 

□ 

Lemma E.8. Let s = “while(^„) {e) {S"}". If both of the following 
hold: 

• s € S; 

• {S,m{loopJ) {S', m'{loop'J); 

then one of the following holds: 

1. The loop counter of label n is incremented by one, loop'^{n) — 
loop^{n) = I; 

2 . There is no entry for label n in loop counter, {n, v) (f: loop',,; 

3 . The loop counter of label n is not changed, loop'^{n) — loop^ (n) 

= 0 ; 

Proof. Let S = s' ■,S". The proof is by induction on abstract syntax 
of s'. □ 
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